๐Ÿ” CVE Alert

CVE-2026-39820

HIGH 7.5

Quadratic string concatentation in consumeComment in net/mail

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Vendor go standard library
Product net/mail
Published May 7, 2026
Last Updated May 8, 2026
Stay Ahead of the Next One

Get instant alerts for go standard library net/mail

Be the first to know when new high vulnerabilities affecting go standard library net/mail are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Go standard library / net/mail
0 < 1.25.10 1.26.0-0 < 1.26.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
go.dev: https://go.dev/issue/78566 go.dev: https://go.dev/cl/759940 groups.google.com: https://groups.google.com/g/golang-announce/c/qcCIEXso47M pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-4986

Credits

thatnealpatel