CVE-2026-39817

Published: May 7, 2026

Modified: May 8, 2026

PUBLISHED

Description

The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

Vendor	Product	Versions
Go toolchain	cmd/go	affected `0 - < 1.25.10` affected `1.26.0-0 - < 1.26.3`

References

https://go.dev/issue/78778

https://go.dev/cl/767520

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

https://pkg.go.dev/vuln/GO-2026-4979

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-39817

Description

Affected Products

References