GCVE - cpe:2.3:a:go_standard_library:os/exec:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:go_standard_library:os/exec:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Go Standard Library (`50bc78d3-15d0-59a4-bc22-a964570e0614`)
Product	Os/Exec (`5cceec21-3df1-51ee-9b88-2fc409567bb1`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-47906`	vulnerable	2026-06-03 15:01:33.598538	Unexpected paths returned from LookPath in os/exec If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Published: 2025-09-18T18:41:11.847Z Updated: 2025-11-04T21:10:54.782Z Open on db.gcve.eu Reference links https://go.dev/cl/691775 https://go.dev/issue/74466 https://groups.google.com/g/golang-announce/c/x5MKroML2yM https://pkg.go.dev/vuln/GO-2025-3956	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-41716`	vulnerable	2026-06-03 14:48:05.879137	Unsanitized NUL in environment variables on Windows in syscall and os/exec Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D". Published: 2022-11-02T15:28:19.574Z Updated: 2024-10-30T13:59:43.967Z Open on db.gcve.eu Reference links https://go.dev/issue/56284 https://go.dev/cl/446916 https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM/m/hSpmRzk-AgAJ https://pkg.go.dev/vuln/GO-2022-1095	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-30580`	vulnerable	2026-06-03 14:47:09.231679	Empty Cmd.Path can trigger unintended binary in os/exec on Windows Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. Published: 2022-08-09T20:18:04.000Z Updated: 2026-03-06T17:34:03.088Z Open on db.gcve.eu Reference links https://go.dev/cl/403759 https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e https://go.dev/issue/52574 https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ https://pkg.go.dev/vuln/GO-2022-0532	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.