Go vulnerabilities: known CVEs & security history
Google · Web / Runtime · 171 tracked CVEs · 2 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all Go release lines — 171 in total, with 2 actively exploited in the wild. A CVE here doesn't mean your version is affected — check Go's current status and the safe version to run.
Known Go CVEs
Actively-exploited and most-severe first. Showing the top 80 of 171. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2020-0601⚡ exploited | high | 8.1 | 89% | 2020 |
| CVE-2023-44487⚡ exploited | high | 7.5 | 100% | 2023 |
| CVE-2025-68121 | critical | 10 | 1% | 2026 |
| CVE-2026-27143 | critical | 9.8 | 1% | 2026 |
| CVE-2024-24790 | critical | 9.8 | 2% | 2024 |
| CVE-2023-39320 | critical | 9.8 | 1% | 2023 |
| CVE-2023-29405 | critical | 9.8 | 2% | 2023 |
| CVE-2023-29404 | critical | 9.8 | 2% | 2023 |
| CVE-2023-29402 | critical | 9.8 | 2% | 2023 |
| CVE-2023-24540 | critical | 9.8 | 2% | 2023 |
| CVE-2023-24538 | critical | 9.8 | 2% | 2023 |
| CVE-2021-38297 | critical | 9.8 | 10% | 2021 |
| CVE-2012-2666 | critical | 9.8 | 2% | 2021 |
| CVE-2020-29511 | critical | 9.8 | 2% | 2020 |
| CVE-2020-29510 | critical | 9.8 | 2% | 2020 |
| CVE-2020-29509 | critical | 9.8 | 2% | 2020 |
| CVE-2015-5741 | critical | 9.8 | 3% | 2020 |
| CVE-2019-14809 | critical | 9.8 | 8% | 2019 |
| CVE-2019-11888 | critical | 9.8 | 3% | 2019 |
| CVE-2015-5740 | critical | 9.8 | 4% | 2017 |
| CVE-2015-5739 | critical | 9.8 | 9% | 2017 |
| CVE-2017-15041 | critical | 9.8 | 9% | 2017 |
| CVE-2025-66630 | critical | 9.4 | 0% | 2026 |
| CVE-2022-23806 | critical | 9.1 | 3% | 2022 |
| CVE-2026-27140 | high | 8.8 | 1% | 2026 |
| CVE-2018-7187 | high | 8.8 | 64% | 2018 |
| CVE-2025-61732 | high | 8.6 | 0% | 2026 |
| CVE-2025-4674 | high | 8.6 | 0% | 2025 |
| CVE-2026-33810 | high | 8.2 | 0% | 2026 |
| CVE-2019-6486 | high | 8.2 | 4% | 2019 |
| CVE-2023-39323 | high | 8.1 | 2% | 2023 |
| CVE-2018-16874 | high | 8.1 | 5% | 2018 |
| CVE-2018-16873 | high | 8.1 | 66% | 2018 |
| CVE-2016-5386 | high | 8.1 | 5% | 2016 |
| CVE-2025-61731 | high | 7.8 | 0% | 2026 |
| CVE-2023-29403 | high | 7.8 | 0% | 2023 |
| CVE-2022-30580 | high | 7.8 | 1% | 2022 |
| CVE-2019-9634 | high | 7.8 | 3% | 2019 |
| CVE-2018-6574 | high | 7.8 | 8% | 2018 |
| CVE-2016-3958 | high | 7.8 | 0% | 2016 |
| CVE-2026-42501 | high | 7.5 | 0% | 2026 |
| CVE-2026-42499 | high | 7.5 | 1% | 2026 |
| CVE-2026-39836 | high | 7.5 | 1% | 2026 |
| CVE-2026-39820 | high | 7.5 | 0% | 2026 |
| CVE-2026-33814 | high | 7.5 | 1% | 2026 |
| CVE-2026-33811 | high | 7.5 | 1% | 2026 |
| CVE-2026-32283 | high | 7.5 | 0% | 2026 |
| CVE-2026-32281 | high | 7.5 | 0% | 2026 |
| CVE-2026-32280 | high | 7.5 | 0% | 2026 |
| CVE-2026-27137 | high | 7.5 | 0% | 2026 |
| CVE-2026-25679 | high | 7.5 | 1% | 2026 |
| CVE-2025-61726 | high | 7.5 | 1% | 2026 |
| CVE-2025-61729 | high | 7.5 | 0% | 2025 |
| CVE-2025-61723 | high | 7.5 | 1% | 2025 |
| CVE-2025-58188 | high | 7.5 | 0% | 2025 |
| CVE-2025-58187 | high | 7.5 | 0% | 2025 |
| CVE-2023-45285 | high | 7.5 | 1% | 2023 |
| CVE-2023-45287 | high | 7.5 | 1% | 2023 |
| CVE-2023-45283 | high | 7.5 | 3% | 2023 |
| CVE-2023-46324 | high | 7.5 | 0% | 2023 |
| CVE-2023-39325 | high | 7.5 | 4% | 2023 |
| CVE-2023-39322 | high | 7.5 | 1% | 2023 |
| CVE-2023-39321 | high | 7.5 | 1% | 2023 |
| CVE-2023-24537 | high | 7.5 | 1% | 2023 |
| CVE-2023-24536 | high | 7.5 | 1% | 2023 |
| CVE-2023-24534 | high | 7.5 | 2% | 2023 |
| CVE-2022-41725 | high | 7.5 | 1% | 2023 |
| CVE-2022-41724 | high | 7.5 | 1% | 2023 |
| CVE-2022-41723 | high | 7.5 | 5% | 2023 |
| CVE-2022-41722 | high | 7.5 | 2% | 2023 |
| CVE-2022-41720 | high | 7.5 | 1% | 2022 |
| CVE-2022-41716 | high | 7.5 | 1% | 2022 |
| CVE-2022-41715 | high | 7.5 | 1% | 2022 |
| CVE-2022-2880 | high | 7.5 | 1% | 2022 |
| CVE-2022-2879 | high | 7.5 | 2% | 2022 |
| CVE-2022-32190 | high | 7.5 | 2% | 2022 |
| CVE-2022-27664 | high | 7.5 | 3% | 2022 |
| CVE-2022-32189 | high | 7.5 | 2% | 2022 |
| CVE-2022-30635 | high | 7.5 | 1% | 2022 |
| CVE-2022-30633 | high | 7.5 | 2% | 2022 |
91 older / lower-severity CVEs not shown — see Go's full record.
Is my Go version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your Go version → · Monitor Go for new CVEs →
Go vulnerabilities — frequently asked
How many known vulnerabilities does Go have?
IsItPatched tracks 171 CVEs for Go, 2 of which are actively exploited (CISA KEV). 22 are critical-severity and 99 high-severity. These span every release line — what matters is whether the version you run is affected.
Does Go have any actively-exploited vulnerabilities?
Yes — 2 Go CVEs are in CISA's Known Exploited Vulnerabilities catalog, meaning they are confirmed exploited in the wild. Patch these as a priority.
What is the most severe Go vulnerability?
Among tracked issues, CVE-2020-0601 (HIGH, CVSS 8.1), which is actively exploited, ranks highest — a CWE-295 weakness.
Is Go safe to use?
It depends on the version. The latest supported Go release (1.26.4) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: Go security status · Go end-of-life · actively-exploited CVEs. Always verify against Google's advisories — see our disclaimer.