Description
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
Published: 2026-06-02
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is in Go’s net/textproto package where error messages embed input values without escaping. An attacker who can influence those inputs can inject arbitrary content into error messages that may be displayed to users or written to logs. This raises the risk of misleading error output or the disclosure of sensitive information.

Affected Systems

It affects the Go standard library component net/textproto. No specific version guidance is provided, so any Go version that includes the current implementation is potentially vulnerable until a fix is released.

Risk and Exploitability

EPSS score is not available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog; CVSS metrics are not provided. The vulnerability is likely exploitable in any context where an application uses net/textproto to handle protocol data and forwards error messages to clients or logs them. The attack vector would be remote, leveraged through the protocol handled by the application, and depends on whether the error content is exposed to users or captured in audit trails. Despite the lack of official severity metrics, the potential for log or output injection makes this a high‑impact concern for systems that rely on accurate error reporting.

Generated by OpenCVE AI on June 3, 2026 at 04:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Go release that includes the fix for GO-2026-5039 or apply any vendor‑supplied patch to net/textproto
  • Modify your application’s error handling to escape or remove user input before including it in error messages, addressing the log injection weakness identified as CWE-107
  • Configure your service to return generic error responses to clients while logging detailed errors in a sanitized, internal context

Generated by OpenCVE AI on June 3, 2026 at 04:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang net
Vendors & Products Golang
Golang net

Wed, 03 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-107

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
Title Arbitrary inputs are included in errors without any escaping in net/textproto
References

Subscriptions

Golang Net
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-06-02T22:01:37.307Z

Reserved: 2026-04-28T00:21:12.792Z

Link: CVE-2026-42507

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T23:16:38.027

Modified: 2026-06-02T23:16:38.027

Link: CVE-2026-42507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:54:31Z

Weaknesses