github.com/envoyproxy/envoy (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/envoyproxy/envoy, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (11)
CVE-2026-26308 — CVSS 7.5 (high): Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access…
CVE-2025-54588 — CVSS 7.5 (high): Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. Versions 1.34.0 through…
CVE-2019-9901 — CVSS 6.5 (medium): Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass…
CVE-2025-64527 — CVSS 6.5 (medium): Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT…
CVE-2025-30157 — CVSS 6.5 (medium): Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy's ext_proc HTTP…
CVE-2026-26311 — CVSS 5.9 (medium): Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP…
CVE-2026-26310 — CVSS 5.9 (medium): Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort…
CVE-2026-26330 — CVSS 5.3 (medium): Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the…
CVE-2026-26309 — CVSS 5.3 (medium): Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in…
CVE-2025-66220 — CVSS 5.0 (medium): Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher…
CVE-2025-64763 — CVSS 3.7 (low): Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP…