Go 1.26.1 and Go 1.25.8 released with five security fixes (crypto/x509, html/template, net/url, os)

What happened

The Go team released Go 1.26.1 and Go 1.25.8 as minor point releases that include five security fixes in the standard library, announced via golang-announce and forwarded to oss-security.

The fixes cover: (1) two certificate-validation issues in crypto/x509, (2) an XSS risk in html/template when templating URLs into meta refresh tags, (3) stricter URL parsing in net/url, and (4) a root-escape metadata issue in os directory listing APIs.

Who is impacted

• Teams building or running services with Go 1.26 are specifically impacted by both crypto/x509 issues (CVE-2026-27137, CVE-2026-27138), which the advisory states "only affects Go 1.26".
• Any application templating untrusted data into HTML using html/template—especially when using <meta http-equiv="refresh" content="..."> patterns—may be impacted by CVE-2026-27142.
• Any code relying on net/url.Parse accepting malformed host/authority strings involving IPv6 literals may see behavior changes due to CVE-2026-25679.
• Unix programs that open a restricted Root and then list directories using File.ReadDir / File.Readdir may be impacted by metadata escaping that root in certain race/symlink scenarios (CVE-2026-27139).

What to do now

• Upgrade Go toolchains to Go 1.26.1 (for the 1.26 line) or Go 1.25.8 (for the 1.25 line) and rebuild/redeploy affected services.
• Review exposure to each CVE:
  • CVE-2026-27137 (crypto/x509): Incorrect enforcement of multiple full-email name constraints where only the last constraint is considered; can allow disallowed/excluded emails to pass Certificate.Verify in chains to trusted roots.
  • CVE-2026-27138 (crypto/x509): Certificate verification can panic when a chain contains an empty DNS name and excluded name constraints; this can crash programs that verify chains or use TLS.
  • CVE-2026-27142 (html/template): URL actions inserted into the content attribute of HTML meta tags were not escaped; can enable XSS when combined with http-equiv="refresh". The release adds a GODEBUG knob htmlmetacontenturlescape (setting htmlmetacontenturlescape=0 disables the new escaping behavior).
  • CVE-2026-25679 (net/url): net/url.Parse now rejects IPv6 literals that are not at the start of the host subcomponent (previously it could treat garbage before an IP-literal as ignorable).
  • CVE-2026-27139 (os): FileInfo returned by ReadDir / Readdir could reference files outside an opened Root due to lstat path resolution if path components are swapped for symlinks; impact is limited to filesystem metadata disclosure and is fixed by using fstatat.
• If you run CI images, base containers, or buildpacks pinned to older Go patch releases, update them and rebuild to ensure the fixed standard library is included.

Additional Information

• oss-security forward of golang-announce release: Go 1.26.1 and Go 1.25.8 announcement and per-issue links (Go issue IDs are included in the message).
• CVE-to-issue mapping from the announcement:
  • CVE-2026-27137 → go.dev/issue/77952
  • CVE-2026-27138 → go.dev/issue/77953
  • CVE-2026-27142 → go.dev/issue/77954
  • CVE-2026-25679 → go.dev/issue/77578
  • CVE-2026-27139 → go.dev/issue/77827
• Release notes pointer included in the announcement: go.dev/doc/devel/release#go1.26.1