CVE-2026-39817

216.73.217.22

· Published 07/05/2026 20:16 · Modified 07/05/2026 20:38

Labels: CVE-2026-39817 2026-05-07 CVE-2026-39817 [email protected]

Essential information

Published: 07/05/2026 20:16
Modified: 07/05/2026 20:38
Author: —
Creator: —
CISA KEV: No
CWE: —
CVSS vector

Description

The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

NVD status

Status: Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
golang / go	`cpe:2.3:a:golang:go::::::::`

CVE-2026-39817

Essential information

Description

NVD status

Affected products (CPE)

References