golang.org/x/net (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package golang.org/x/net, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (32)
CVE-2026-39821 — CVSS 9.6 (critical): The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example…
CVE-2018-17143 — CVSS 7.5 (high): The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a "panic: runtime…
CVE-2018-17846 — CVSS 7.5 (high): The html package (aka x/net/html) through 2018-09-25 in Go mishandles <table><math><select><mi><select></table>, leading to an infinite…
CVE-2018-17847 — CVSS 7.5 (high): The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a "panic…
CVE-2018-17848 — CVSS 7.5 (high): The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a "panic: runtime…
CVE-2019-9512 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings…
CVE-2019-9514 — CVSS 7.5 (high): Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of…
CVE-2018-17075 — CVSS 7.5 (high): The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for…
CVE-2021-33194 — CVSS 7.5 (high): golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted…
CVE-2021-44716 — CVSS 7.5 (high): net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via…
CVE-2022-27664 — CVSS 7.5 (high): In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang…
CVE-2026-27141 — CVSS 7.5 (high): Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
CVE-2023-45288 — CVSS 7.5 (high): An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames…
CVE-2026-33814 — CVSS 7.5 (high): When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a…
CVE-2022-41721 — CVSS 7.5 (high): A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully…
CVE-2022-41723 — CVSS 7.5 (high): A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service…
CVE-2023-39325 — CVSS 7.5 (high): A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While…
CVE-2018-17142 — CVSS 7.5 (high): The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error"…
CVE-2025-22872 — CVSS 6.5 (medium): The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When…
CVE-2026-42506 — CVSS 6.1 (medium): Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS…
CVE-2023-3978 — CVSS 6.1 (medium): Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to…
CVE-2026-25681 — CVSS 6.1 (medium): Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS…
CVE-2026-27136 — CVSS 6.1 (medium): Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS…
CVE-2026-42502 — CVSS 6.1 (medium): Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS…
CVE-2021-31525 — CVSS 5.9 (medium): net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to…
CVE-2024-45338 — CVSS 5.3 (medium): An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in…
CVE-2025-58190 — CVSS 5.3 (medium): The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of…
CVE-2025-47911 — CVSS 5.3 (medium): The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial…
CVE-2022-41717 — CVSS 5.3 (medium): An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP…
CVE-2025-22870 — CVSS 4.4 (medium): Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY…