Arbitrary inputs are included in errors without any escaping in...

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Basic Information

ID CVE-2026-42507

Source Go

Published Jun 2, 2026 at 22:01

Modified Jun 3, 2026 at 19:04

Affected Product

Vendor Go standard library

Product net/textproto

Affected Versions Go standard library net/textproto 0
Go standard library net/textproto 1.26.0-0

References

{
    "lastseen": "",
    "description": "When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.",
    "published": "2026-06-02T22:01:37.307Z",
    "modified": "2026-06-03T19:04:45.361Z",
    "type": "cve",
    "title": "Arbitrary inputs are included in errors without any escaping in net/textproto",
    "source": "Go",
    "references": "https://go.dev/issue/79346\nhttps://go.dev/cl/777060\nhttps://groups.google.com/g/golang-announce/c/tKs3rmcBcKw\nhttps://pkg.go.dev/vuln/GO-2026-5039",
    "id": "CVE-2026-42507",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Go standard library net/textproto 0\nGo standard library net/textproto 1.26.0-0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "net/textproto",
    "version": "0",
    "vendor": "Go standard library",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Arbitrary inputs are included in errors without any escaping in net/textproto_CVE-2026-42507

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply