CVE-2026-42507 - Vulnerability Details

- Arbitrary inputs are included in errors without any escaping in net/textproto

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Published: 2026-06-02

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is in Go’s net/textproto package where error messages embed input values without escaping. An attacker who can influence those inputs can inject arbitrary content into error messages that may be displayed to users or written to logs. This raises the risk of misleading error output or the disclosure of sensitive information.

Affected Systems

It affects the Go standard library component net/textproto. No specific version guidance is provided, so any Go version that includes the current implementation is potentially vulnerable until a fix is released.

Risk and Exploitability

EPSS score is < 1% and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog; CVSS score is 5.3. The vulnerability is likely exploitable in any context where an application uses net/textproto to handle protocol data and forwards error messages to clients or logs them. The likely attack vector is remote, leveraged through the protocol handled by the application, and depends on whether the error content is exposed to users or captured in audit trails. Despite the moderate CVSS score of 5.3, the potential for log or output injection makes this a high‑impact concern for systems that rely on accurate error reporting.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Go standard library

net/textproto

unaffected

Version	Status	Constraints
`0`	affected	< 1.25.11
`1.26.0-0`	affected	< 1.26.4

No data.

Vendor Product Confidence Versions

Golang

Net

100%

Version	Status	Scheme	Platform
`[0,1.25.11)`	affected	semver	—
`[1.26.0-0,1.26.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest Go release that includes the fix for GO-2026-5039 or apply any vendor‑supplied patch to net/textproto
Modify your application’s error handling to escape or remove user input before including it in error messages, addressing the log injection weakness
Configure your service to return generic error responses to clients while logging detailed errors in a sanitized, internal context

Generated by OpenCVE AI on June 18, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0037.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://go.dev/cl/777060
https://go.dev/issue/79346
https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw
https://nvd.nist.gov/vuln/detail/CVE-2026-42507
https://pkg.go.dev/vuln/GO-2026-5039
https://www.cve.org/CVERecord?id=CVE-2026-42507

History

Thu, 18 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20 CWE-532

Thu, 18 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-117
References		https://nvd.nist.gov/vuln/detail/CVE-2026-42507 https://www.cve.org/CVERecord?id=CVE-2026-42507
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 03 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-532

Wed, 03 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-107

Wed, 03 Jun 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 03 Jun 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Golang Golang net
Vendors & Products		Golang Golang net

Wed, 03 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-107

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Description		When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
Title		Arbitrary inputs are included in errors without any escaping in net/textproto
References		https://go.dev/cl/777060 https://go.dev/issue/79346 https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw https://pkg.go.dev/vuln/GO-2026-5039

Subscriptions

Golang Net

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2026-06-02T22:01:37.307Z

Updated: 2026-06-03T19:04:45.361Z

Reserved: 2026-04-28T00:21:12.792Z

Link: CVE-2026-42507

Vulnrichment

Updated: 2026-06-03T19:04:38.365Z

NVD

Status : Awaiting Analysis

Published: 2026-06-02T23:16:38.027

Modified: 2026-06-04T16:15:50.143

Link: CVE-2026-42507

Redhat

Severity : Moderate

Publid Date: 2026-06-02T22:01:37Z

Links: CVE-2026-42507 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-18T22:45:16Z

Weaknesses

CWE-117
Improper Output Neutralization for Logs

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object