anonhaven
Ad

CVE-2026-27140

HIGH CVSS 3.1: 8.8 EPSS 0.01%
Updated Apr 16, 2026
Golang
Parameter Value
CVSS 8.8 (HIGH)
Affected Versions 1.26.0 — 1.26.2
Fixed In 1.25.9
Type CWE-863 (Incorrect Authorization)
Vendor Golang
Public PoC No

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-863 Incorrect Authorization

Vulnerable Products 2

Configuration From (including) Up to (excluding)
Golang Go
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
 1.25.9
Golang Go
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
 1.26.0 1.26.2

References 4

https://go.dev/cl/763768
security@golang.org
https://go.dev/issue/78335
security@golang.org
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
security@golang.org
https://pkg.go.dev/vuln/GO-2026-4871
security@golang.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33810

Golang

8.2

CVE-2026-32289

Go Standard Library

6.1

CVE-2026-32288

Go Standard Library

5.5

CVE-2026-32283

Golang

7.5

CVE-2026-32282

Golang

6.4