๐Ÿ” CVE Alert

CVE-2026-42499

UNKNOWN 0.0

Quadratic string concatenation in consumePhrase in net/mail

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Vendor go standard library
Product net/mail
Published May 7, 2026
Stay Ahead of the Next One

Get instant alerts for go standard library net/mail

Be the first to know when new unknown vulnerabilities affecting go standard library net/mail are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Go standard library / net/mail
0 < 1.25.10 1.26.0-0 < 1.26.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
go.dev: https://go.dev/issue/78987 go.dev: https://go.dev/cl/771520 groups.google.com: https://groups.google.com/g/golang-announce/c/qcCIEXso47M pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-4977