Go 1.26.1 and 1.25.8 ship five security fixes across stdlib

TL;DR — Go shipped five security fixes across crypto/x509, html/template, net/url, and os, addressing certificate validation failures, XSS, and a root-escape issue.

What happened

Go is Google's statically-typed programming language widely used for backend services, cloud infrastructure, and CLI tools. The Go team released Go 1.26.1 and Go 1.25.8 with five security fixes: two crypto/x509 certificate-validation issues, an XSS risk in html/template when templating URLs into <meta> refresh tags, stricter URL parsing in net/url, and a root-escape metadata issue in os directory listing.

The crypto/x509 issues are Go 1.26-only, but the html/template XSS and net/url parsing changes affect both branches. If you template user-controlled data into HTML meta tags, the XSS fix is particularly worth reviewing.

Who is impacted

• Teams building with Go 1.26 are impacted by all five CVEs.
• Teams on Go 1.25 are impacted by CVE-2026-27142, CVE-2026-25679, and CVE-2026-27139.

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
• Review exposure to each CVE, particularly:
  • html/template: check for <meta http-equiv="refresh"> patterns with user data.
  • crypto/x509: check certificate validation in Go 1.26 services.
• Update CI images, base containers, and buildpacks pinned to older Go patch releases.