CVE-2026-42507

Arbitrary inputs are included in errors without any escaping in net/textproto

Published: 6/2/2026Modified: 6/2/2026

Also known as:GO-2026-5039

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Affected packages (1)

Go/stdlibfrom 0, < 1.25.11, >= 1.26.0-0, < 1.26.4

References (3)

PATCHhttps://go.dev/cl/777060
REPORThttps://go.dev/issue/79346
WEBhttps://groups.google.com/g/golang-announce/c/tKs3rmcBcKw