[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-39817":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-06T08:55:34.825Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":20,"aliases":21,"duplicate_of":9,"upstream":24,"downstream":25,"duplicates":34,"related":35,"reserved_at":9,"published_at":40,"modified_at":41,"state":42,"summary":43,"references_raw":52,"kevs":78,"epss":79,"epss_history":82,"metrics":167,"affected":175},"CVE-2026-39817","The \"go tool pack\" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the \"pack\" subcommand can write files to arbitrary locations on the filesystem.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-787","Out-of-bounds Write","The product writes data past the end, or before the beginning, of the intended buffer.","weakness","Draft","Base","High",[],[],[22,23],"GO-2026-4979","BIT-golang-2026-39817",[],[26,28,30,32],{"_key":27},"OPENSUSE-SU-2026:10723-1",{"_key":29},"OPENSUSE-SU-2026:10741-1",{"_key":31},"DEBIAN-CVE-2026-39817",{"_key":33},"UBUNTU-CVE-2026-39817",[],[36,37,38],{"_key":27},{"_key":29},{"_key":39},"CGA-87X8-MXJJ-M9RM","2026-05-07T19:41:18.993Z","2026-05-08T21:29:47.246Z","Analyzed",{"cisa_kev":44,"cisa_ransomware":44,"cisa_vendor":9,"epss_severity":45,"epss_score":46,"severity":47,"severity_score":48,"severity_version":49,"severity_source":50,"severity_vector":51,"severity_status":42},false,"low",0.00005,"medium",5.9,"v3.1","cve.org","CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",[53,61,67,73],{"url":54,"sources":55,"tags":58},"https://go.dev/issue/78778",[50,56,57],"nvd","osv_go",[59,60],"REPORT","Issue Tracking",{"url":62,"sources":63,"tags":64},"https://go.dev/cl/767520",[50,56,57],[65,66],"FIX","Patch",{"url":68,"sources":69,"tags":70},"https://groups.google.com/g/golang-announce/c/qcCIEXso47M",[50,56,57],[71,60,72],"WEB","Mailing List",{"url":74,"sources":75,"tags":76},"https://pkg.go.dev/vuln/GO-2026-4979",[50,56],[77],"Vendor Advisory",[],{"date":80,"score":46,"percentile":81},"2026-06-05",0.00251,[83,87,91,94,97,100,104,108,111,114,117,120,123,126,129,132,135,137,140,142,145,148,151,153,156,159,161,163,166],{"date":84,"score":85,"percentile":86},"2026-05-08",0.00027,0.07687,{"date":88,"score":89,"percentile":90},"2026-05-09",0.00018,0.05005,{"date":92,"score":89,"percentile":93},"2026-05-10",0.0502,{"date":95,"score":89,"percentile":96},"2026-05-11",0.05011,{"date":98,"score":89,"percentile":99},"2026-05-12",0.05007,{"date":101,"score":102,"percentile":103},"2026-05-13",0.00016,0.03776,{"date":105,"score":106,"percentile":107},"2026-05-14",0.00014,0.02728,{"date":109,"score":106,"percentile":110},"2026-05-15",0.02738,{"date":112,"score":106,"percentile":113},"2026-05-16",0.0275,{"date":115,"score":106,"percentile":116},"2026-05-17",0.02749,{"date":118,"score":106,"percentile":119},"2026-05-18",0.02727,{"date":121,"score":106,"percentile":122},"2026-05-19",0.02715,{"date":124,"score":106,"percentile":125},"2026-05-20",0.02714,{"date":127,"score":106,"percentile":128},"2026-05-21",0.02702,{"date":130,"score":46,"percentile":131},"2026-05-22",0.00241,{"date":133,"score":46,"percentile":134},"2026-05-23",0.0024,{"date":136,"score":46,"percentile":134},"2026-05-24",{"date":138,"score":46,"percentile":139},"2026-05-25",0.00239,{"date":141,"score":46,"percentile":139},"2026-05-26",{"date":143,"score":46,"percentile":144},"2026-05-27",0.00242,{"date":146,"score":46,"percentile":147},"2026-05-28",0.00243,{"date":149,"score":46,"percentile":150},"2026-05-29",0.00247,{"date":152,"score":46,"percentile":81},"2026-05-30",{"date":154,"score":46,"percentile":155},"2026-05-31",0.0025,{"date":157,"score":46,"percentile":158},"2026-06-01",0.00249,{"date":160,"score":46,"percentile":81},"2026-06-02",{"date":162,"score":46,"percentile":81},"2026-06-03",{"date":164,"score":46,"percentile":165},"2026-06-04",0.00252,{"date":80,"score":46,"percentile":81},[168,173],{"source":50,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":169,"cvss_v4_0":9},{"baseScore":48,"baseSeverity":170,"vectorString":51,"impactScore":171,"exploitabilityScore":172},"MEDIUM",6.7,3.8,{"source":56,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":174,"cvss_v4_0":9},{"baseScore":48,"baseSeverity":170,"vectorString":51,"impactScore":171,"exploitabilityScore":172},[176,191,201],{"ecosystem":9,"name":177,"vendor":178,"product":177,"cpe_part":179,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":180},"cmd/go","go toolchain","a",[181,186],{"version":182,"is_range":183,"range_type":50,"version_start":9,"version_start_type":9,"version_end":184,"version_end_type":185,"fixed_in":9},"\u003C 1.25.10",true,"1.25.10","excluding",{"version":187,"is_range":183,"range_type":50,"version_start":188,"version_start_type":189,"version_end":190,"version_end_type":185,"fixed_in":9},">= 1.26.0-0, \u003C 1.26.3","1.26.0-0","including","1.26.3",{"ecosystem":9,"name":192,"vendor":193,"product":192,"cpe_part":179,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":194},"go","golang",[195,198],{"version":196,"is_range":183,"range_type":197,"version_start":9,"version_start_type":9,"version_end":184,"version_end_type":185,"fixed_in":9},"lt1.25.10","cpe",{"version":199,"is_range":183,"range_type":197,"version_start":200,"version_start_type":189,"version_end":190,"version_end_type":185,"fixed_in":9},"gte1.26.0_lt1.26.3","1.26.0",{"ecosystem":202,"name":203,"vendor":202,"product":203,"cpe_part":9,"purl_type":193,"purl_namespace":9,"purl_name":203,"source":9,"versions":204},"Go","toolchain",[205],{"version":206,"is_range":183,"range_type":207,"version_start":188,"version_start_type":189,"version_end":190,"version_end_type":185,"fixed_in":9},"gte1_26_0_0_lt1_26_3","semver"]