{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25679", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-05T01:33:41.943Z", "datePublished": "2026-03-06T21:28:14.211Z", "dateUpdated": "2026-03-10T13:37:02.459Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-06T21:28:14.211Z"}, "title": "Incorrect parsing of IPv6 host literals in net/url", "descriptions": [{"lang": "en", "value": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs."}], "affected": [{"vendor": "Go standard library", "product": "net/url", "collectionURL": "https://pkg.go.dev", "packageName": "net/url", "versions": [{"version": "0", "lessThan": "1.25.8", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.1", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "parseHost"}, {"name": "JoinPath"}, {"name": "Parse"}, {"name": "ParseRequestURI"}, {"name": "URL.Parse"}, {"name": "URL.UnmarshalBinary"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input"}]}], "references": [{"url": "https://go.dev/cl/752180"}, {"url": "https://go.dev/issue/77578"}, {"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4601"}], "credits": [{"lang": "en", "value": "Masaki Hara (https://github.com/qnighy) of Wantedly"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:36:26.554241Z", "id": "CVE-2026-25679", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:37:02.459Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25679", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T13:36:26.554241Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:36:57.330Z"}}], "cna": {"title": "Incorrect parsing of IPv6 host literals in net/url", "credits": [{"lang": "en", "value": "Masaki Hara (https://github.com/qnighy) of Wantedly"}], "affected": [{"vendor": "Go standard library", "product": "net/url", "versions": [{"status": "affected", "version": "0", "lessThan": "1.25.8", "versionType": "semver"}, {"status": "affected", "version": "1.26.0-0", "lessThan": "1.26.1", "versionType": "semver"}], "packageName": "net/url", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "parseHost"}, {"name": "JoinPath"}, {"name": "Parse"}, {"name": "ParseRequestURI"}, {"name": "URL.Parse"}, {"name": "URL.UnmarshalBinary"}]}], "references": [{"url": "https://go.dev/cl/752180"}, {"url": "https://go.dev/issue/77578"}, {"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4601"}], "descriptions": [{"lang": "en", "value": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-06T21:28:14.211Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25679", "state": "PUBLISHED", "dateUpdated": "2026-03-10T13:37:02.459Z", "dateReserved": "2026-02-05T01:33:41.943Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-03-06T21:28:14.211Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "url.Parse insufficiently validated the host/authority component and accepted some invalid URLs."}, {"lang": "es", "value": "url.Parse valid\u00f3 insuficientemente el componente de host/autoridad y acept\u00f3 algunas URL inv\u00e1lidas."}], "id": "CVE-2026-25679", "lastModified": "2026-03-10T18:18:37.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-06T22:16:00.720", "references": [{"source": "[email protected]", "url": "https://go.dev/cl/752180"}, {"source": "[email protected]", "url": "https://go.dev/issue/77578"}, {"source": "[email protected]", "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"source": "[email protected]", "url": "https://pkg.go.dev/vuln/GO-2026-4601"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "net/url: Incorrect parsing of IPv6 host literals in net/url", "id": "2445356", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445356"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-1286", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-25679", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-03-06T21:28:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25679\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25679\nhttps://go.dev/cl/752180\nhttps://go.dev/issue/77578\nhttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk\nhttps://pkg.go.dev/vuln/GO-2026-4601"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.25.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "net/url", "source": "cna", "vendor": "Go standard library"}, "product": "net/url", "vendor": "go_standard_library"}], "created": "2026-03-09T10:06:18.003081+00:00", "updated": "2026-03-09T10:06:18.003181+00:00", "vendors": ["go_standard_library", "go_standard_library$PRODUCT$net/url"]}