CVE-2026-39822

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/07/2026
Last modified:
13/07/2026

Description

On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, 'root.Open("symlink/")' will open "symlink" even when "symlink" is a symbolic link pointing outside of the root.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* 1.25.12 (excluding)
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* 1.26.0 (including) 1.26.5 (excluding)
cpe:2.3:a:golang:go:1.27:rc1:*:*:*:*:*:*