Summary iPlain-English security verdict for Go, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.
Go currently scores 100/100 — healthy. 2 actively-exploited vulnerabilities (CISA KEV) affect older releases (e.g. CVE-2023-44487) — staying on the latest supported version keeps you clear of them. The latest supported release is 1.26.4. It's on the latest patch with no significant known issues — keep it current.
Disclosure trend iNew CVEs published for Go each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.
Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.
Most urgent first — actively exploited, then likeliest to be exploited.
CVE-2023-44487 HIGH exploited Uncontrolled resource consumption EPSS 100% → fixed in 1.21.3 CVE-2020-0601 HIGH exploited CWE-295 EPSS 89% → fixed in 1.13.7 CVE-2018-16873 HIGH Improper input validation EPSS 66% → fixed in 1.11.3 CVE-2018-7187 HIGH OS command injection EPSS 64% → fixed in 1.10.1 CVE-2021-38297 CRITICAL Buffer overflow EPSS 10% → fixed in 1.17.2 CVE-2015-5739 CRITICAL CWE-444 EPSS 9% → see advisory CVE-2017-15041 CRITICAL EPSS 9% → see advisory CVE-2019-14809 CRITICAL EPSS 8% → fixed in 1.12.8 CVE-2015-5740 CRITICAL CWE-444 EPSS 4% → see advisory CVE-2022-23806 CRITICAL CWE-252 EPSS 3% → fixed in 1.17.7 CVE-2015-5741 CRITICAL CWE-444 EPSS 3% → fixed in 1.4.3 CVE-2019-11888 CRITICAL Improper privilege management EPSS 3% → see advisoryGet alerted about Go
Be emailed the moment Go gets a newly exploited vulnerability (CISA KEV) or a release reaches end of life. Free · double opt-in · unsubscribe anytime.
We email only on real events for Go — no marketing, no sharing, and we never know what you run. Track your whole stack →
Versions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.
How long each Go release line is supported — and when it sunsets. Select a line for its full report.
Full Go end-of-life dates & support timeline →
1.26 latest 1.26.4 Supported 1.26.4 → 1.25 latest 1.25.11 Supported 1.25.11 → 1.24 latest 1.24.13 End of life ended 2026-02-111.24.13 → 1.23 latest 1.23.12 End of life ended 2025-08-121.23.12 → 1.22 latest 1.22.12 End of life ended 2025-02-111.22.12 → 1.21 latest 1.21.13 End of life ended 2024-08-131.21.13 → 1.20 latest 1.20.14 End of life ended 2024-02-061.20.14 → 1.19 latest 1.19.13 End of life ended 2023-09-061.19.13 → 1.18 latest 1.18.10 End of life ended 2023-02-011.18.10 → 1.17 latest 1.17.13 End of life ended 2022-08-021.17.13 → See all upcoming end-of-life dates →Frequently asked
Is Go safe and patched?
Go currently scores 100/100 — healthy. 2 actively-exploited vulnerabilities (CISA KEV) affect older releases (e.g. CVE-2023-44487) — staying on the latest supported version keeps you clear of them. The latest supported release is 1.26.4. It's on the latest patch with no significant known issues — keep it current.
What should I do about Go now?
Upgrade Go to the latest supported release (1.26.4) or later, which clears the actively-exploited issues affecting older versions, then confirm against Google's official advisory.
When does Go reach end-of-life?
The latest supported Go release is 1.26.4. After end-of-life a release no longer receives security patches.
Which versions of Go are still receiving security updates?
Supported Go release lines (latest 1.26.4): 1.26, 1.25. End-of-life releases no longer receive security patches.
Informational only, from public data (NVD · CISA KEV · EPSS · endoflife.date), and can lag or miss vendor-specific fixes. Always confirm against Google's official advisory before you patch or upgrade — Go official site ↗