CVE Field Guide
About Us
CVE-2026-25679
PUBLISHED
Incorrect parsing of IPv6 host literals in net/url
Assigner:
Go
Reserved:
05.02.2026
Published:
06.03.2026
Updated:
06.03.2026
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Product Status
Vendor
Go standard library
Product
net/url
Versions
Default:
unaffected
affected from 0 to 1.25.8 (excl.)
affected from 1.26.0-0 to 1.26.1 (excl.)
Credits
Masaki Hara (https://github.com/qnighy) of Wantedly
References
https://go.dev/cl/752180
https://go.dev/issue/77578
https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
https://pkg.go.dev/vuln/GO-2026-4601
Problem Types
CWE-1286: Improper Validation of Syntactic Correctness of Input