CVE-2026-42507: CWE-532: Insertion of Sensitive Information into Log File in Go standard library net/textproto
CVE-2026-42507 is a vulnerability in the Go standard library's net/textproto package where error messages include the input data as part of the error output. This behavior can lead to insertion of sensitive or misleading information into logs or error messages. There is no CVSS score or vendor advisory indicating a patch or mitigation status. No known exploits are reported in the wild.
AI Analysis
Technical Summary
The vulnerability arises because functions in the net/textproto package return errors that embed the input data directly within the error message. This can allow an attacker to inject misleading or sensitive information into logs or error outputs, potentially confusing administrators or exposing sensitive data. The affected versions include Go standard library versions up to 1.26.0-0. No patch or official remediation guidance is currently available.
Potential Impact
The impact is limited to the potential insertion of misleading or sensitive information into error logs or printed error messages. This could lead to confusion during troubleshooting or inadvertent exposure of sensitive data in logs. There are no reports of active exploitation or further impact such as code execution or denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should be cautious about logging or displaying error messages from the net/textproto package that may contain untrusted input. Consider sanitizing or filtering error outputs before logging or displaying them.
CVE-2026-42507: CWE-532: Insertion of Sensitive Information into Log File in Go standard library net/textproto
Description
CVE-2026-42507 is a vulnerability in the Go standard library's net/textproto package where error messages include the input data as part of the error output. This behavior can lead to insertion of sensitive or misleading information into logs or error messages. There is no CVSS score or vendor advisory indicating a patch or mitigation status. No known exploits are reported in the wild.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because functions in the net/textproto package return errors that embed the input data directly within the error message. This can allow an attacker to inject misleading or sensitive information into logs or error outputs, potentially confusing administrators or exposing sensitive data. The affected versions include Go standard library versions up to 1.26.0-0. No patch or official remediation guidance is currently available.
Potential Impact
The impact is limited to the potential insertion of misleading or sensitive information into error logs or printed error messages. This could lead to confusion during troubleshooting or inadvertent exposure of sensitive data in logs. There are no reports of active exploitation or further impact such as code execution or denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should be cautious about logging or displaying error messages from the net/textproto package that may contain untrusted input. Consider sanitizing or filtering error outputs before logging or displaying them.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Go
- Date Reserved
- 2026-04-28T00:21:12.792Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
- Gcve Source
- db.gcve.eu
Threat ID: 6a1f872ae29bf47b5044bf0b
Added to database: 6/3/2026, 1:45:14 AM
Last enriched: 6/3/2026, 1:48:47 AM
Last updated: 6/3/2026, 3:14:03 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.