Detections
Analytics

Golang 1.25.x < 1.25.8 / 1.26.x < 1.26.1 Multiple Vulnerabilities

medium Nessus Plugin ID 301252

Synopsis

An application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Golang running on the remote host is prior to 1.25.8, or 1.26.x prior to 1.26.1. It is, therefore, affected by multiple vulnerabilities as referenced in the advisory.

 - The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid. To prevent this behavior, net/url.Parse now rejects IPv6 literals that do not appear at the start of the host subcomponent of a URL. (CVE-2026-25679)

 - A TOCTOU (time-of-check/time-of-use) race condition exists in os.Root on Unix platforms. The File.ReadDir and File.Readdir methods populate os.FileInfo using lstat, which can escape the root boundary through a symlink race condition. An attacker can exploit this by replacing a directory with a symlink pointing outside the root between listing directory contents and calling DirEntry.Info(), allowing retrieval of file metadata (size, modification time, permissions) for files outside the root. This does not permit reading or writing files outside the root.
 (CVE-2026-27139)

 - Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value 'refresh'. A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow 'url=' by setting htmlmetacontenturlescape=0. (CVE-2026-27142)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Golang Go version 1.25.8, 1.26.1 or later.

See Also

https://github.com/golang/go/issues/77578

https://github.com/golang/go/issues/77827

https://github.com/golang/go/issues/77954

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

Plugin Details

Severity: Medium

ID: 301252

File Name: golang_1_25_8_1_26_1.nasl

Version: 1.1

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 3/6/2026

Updated: 3/6/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Score based on an in-depth analysis by tenable.

VPR

Risk Factor: Medium

Score: 6.0

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Vulnerability Information

CPE: cpe:/a:golang:go

Required KB Items: installed_sw/Golang Go Programming Language

Patch Publication Date: 3/5/2026

Vulnerability Publication Date: 2/26/2026

Reference Information

CVE: CVE-2026-25679, CVE-2026-27139, CVE-2026-27142