{"id":"GO-2026-4979","summary":"Invoking \"go tool pack\" does not sanitize output paths in cmd/go","details":"The \"go tool pack\" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the \"pack\" subcommand can write files to arbitrary locations on the filesystem.","aliases":["BIT-golang-2026-39817","CVE-2026-39817"],"modified":"2026-05-11T08:11:26.978790087Z","published":"2026-05-07T19:21:40Z","related":["CGA-87x8-mxjj-m9rm"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4979","review_status":"REVIEWED"},"references":[{"type":"REPORT","url":"https://go.dev/issue/78778"},{"type":"FIX","url":"https://go.dev/cl/767520"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/qcCIEXso47M"}],"affected":[{"package":{"name":"toolchain","ecosystem":"Go","purl":"pkg:golang/toolchain"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.25.10"},{"introduced":"1.26.0-0"},{"fixed":"1.26.3"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4979.json"}}],"schema_version":"1.7.5","credits":[{"name":"Harshit Gupta (Mr HAX)"}]}