Go 1.x — End of Life
Active High risk17 releases in this series187 CVEs
Go 1.x — All releases
| Version | Released | Active support | EOL date | Latest patch | Status |
|---|---|---|---|---|---|
| 1.26 | Feb 11, 2026 | — | No | 1.26.4 | Active |
| 1.25 | Aug 12, 2025 | — | No | 1.25.11 | Active |
| 1.24 | Feb 11, 2025 | — | Feb 11, 2026 | 1.24.13 | EOL |
| 1.23 | Aug 13, 2024 | — | Aug 12, 2025 | 1.23.12 | EOL |
| 1.22 | Feb 6, 2024 | — | Feb 11, 2025 | 1.22.12 | EOL |
| 1.21 | Aug 8, 2023 | — | Aug 13, 2024 | 1.21.13 | EOL |
| 1.20 | Feb 1, 2023 | — | Feb 6, 2024 | 1.20.14 | EOL |
| 1.19 | Aug 2, 2022 | — | Sep 6, 2023 | 1.19.13 | EOL |
| 1.18 | Mar 15, 2022 | — | Feb 1, 2023 | 1.18.10 | EOL |
| 1.17 | Aug 16, 2021 | — | Aug 2, 2022 | 1.17.13 | EOL |
| 1.16 | Feb 16, 2021 | — | Mar 15, 2022 | 1.16.15 | EOL |
| 1.15 | Aug 11, 2020 | — | Aug 16, 2021 | 1.15.15 | EOL |
| 1.14 | Feb 25, 2020 | — | Feb 16, 2021 | 1.14.15 | EOL |
| 1.13 | Sep 3, 2019 | — | Aug 11, 2020 | 1.13.15 | EOL |
| 1.12 | Feb 25, 2019 | — | Feb 25, 2020 | 1.12.17 | EOL |
| 1.11 | Aug 24, 2018 | — | Sep 3, 2019 | 1.11.13 | EOL |
| 1.10 | Feb 16, 2018 | — | Feb 25, 2019 | 1.10.8 | EOL |
CVEs affecting Go 1.x (187)
| CVE | Severity | CVSS | EPSS | KEV | Cycle | Description | Published |
|---|---|---|---|---|---|---|---|
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.12 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.25 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.24 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.23 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.22 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.21 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.20 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.19 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.18 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.17 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.16 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.15 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.14 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.13 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.11 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.10 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33811 | HIGH | 7.5 | 0.02% | — | 1.26 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.25 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.24 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.23 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.22 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.21 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.20 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.19 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.18 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.17 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.16 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.15 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.14 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.13 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.12 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.11 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.10 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-33814 | HIGH | 7.5 | 0.02% | — | 1.26 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it recei… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.16 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.25 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.24 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.23 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.22 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.21 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.20 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.19 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.18 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.17 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.15 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.14 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.13 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.12 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.11 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.10 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39820 | HIGH | 7.5 | 0.06% | — | 1.26 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion… | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.25 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.24 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.23 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.22 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.21 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.20 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.19 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.18 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.17 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.16 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.15 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.14 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.13 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.12 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.11 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.10 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-39836 | HIGH | 7.5 | 0.02% | — | 1.26 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.25 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.24 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.23 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.22 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.21 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.20 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.19 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.18 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.17 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.16 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.15 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.14 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.13 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.12 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.11 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.10 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42499 | HIGH | 7.5 | 0.02% | — | 1.26 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.25 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.24 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.23 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.22 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.21 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.20 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.19 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.18 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.17 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.16 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.15 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.14 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.13 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.12 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.11 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.10 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-42501 | HIGH | 7.5 | 0.01% | — | 1.26 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum databa… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.25 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.26 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.10 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.11 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.12 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.13 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.14 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.15 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.16 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.17 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.19 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.20 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.21 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.22 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.23 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.24 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.25 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.26 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.10 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.11 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.12 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.13 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.14 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.15 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.16 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39826 | MEDIUM | 6.1 | 0.01% | — | 1.18 | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute wit… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.17 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.18 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.19 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.20 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.21 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.22 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.24 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39823 | MEDIUM | 6.1 | 0.01% | — | 1.23 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribu… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.10 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.25 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.24 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.23 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.22 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.21 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.20 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.19 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.18 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.17 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.16 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.15 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.14 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.13 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.12 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.11 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39817 | MEDIUM | 5.9 | 0.01% | — | 1.26 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sa… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.26 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.10 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.11 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.12 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.13 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.14 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.15 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.16 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.17 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.18 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.19 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.20 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.26 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.21 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.22 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.23 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.24 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39819 | MEDIUM | 5.3 | 0.01% | — | 1.25 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp").… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.25 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.10 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.11 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.12 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.13 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.14 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.15 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.16 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.17 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.18 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.19 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.20 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.21 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.22 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.23 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
| CVE-2026-39825 | MEDIUM | 5.3 | 0.01% | — | 1.24 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite functi… | May 7, 2026 |
Frequently asked questions
Is Go 1 end of life?
Partially. Some Go 1.x releases have reached EOL. Check the version table above for the exact status of each sub-release.
What CVEs affect Go 1?
There are 187 CVEs tracked for Go 1.x. See the full list above with CVSS and EPSS scores.
What is the latest Go 1 version?
The latest Go 1.x patch release is 1.26.4, released on June 2, 2026. Always run the latest patch to benefit from all security fixes.
When was Go 1 first released?
Go 1.0 was initially released on February 11, 2026. See the full version timeline in the table above.
Is it safe to run Go 1 in production?
Go 1 is still supported and safe for production use. Ensure you are running the latest patch version (1.26.4) to have all security fixes applied.
Data sourced from endoflife.date · CVE data from NVD · EPSS from FIRST.org · KEV from CISA