๐Ÿ” CVE Alert

CVE-2026-25679

HIGH 7.5

Incorrect parsing of IPv6 host literals in net/url

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Vendor go standard library
Product net/url
Published Mar 6, 2026
Last Updated Mar 10, 2026
Stay Ahead of the Next One

Get instant alerts for go standard library net/url

Be the first to know when new high vulnerabilities affecting go standard library net/url are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Go standard library / net/url
0 < 1.25.8 1.26.0-0 < 1.26.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
go.dev: https://go.dev/cl/752180 go.dev: https://go.dev/issue/77578 groups.google.com: https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-4601

Credits

Masaki Hara (https://github.com/qnighy) of Wantedly