Golang: community verdicts
3 notable / known-exploited Golang CVEs the community has triaged.
ⓘ Not an exhaustive list: we focus on the findings that matter (exploited / notable). For every Golang CVE, see NVD ↗.
- CVE-2023-44487HIGH 7.5KEVEPSS 100%
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2020-0601HIGH 8.1KEVEPSS 89%
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
- CVE-2026-33813HIGH 7.5Real · low riskEPSS 0%
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.