Go Security Update: RootChmod Symlink Traversal, XSS in Templates, and crypto/x509 Wildcard Fix

Vulnerability Summary Vulnerability Overview Go versions 1.26.2 and 1.25.9 have been released, containing 10 security fixes. These primarily address RootChmod symlink traversal, HTML/Template template literal context tracking, and crypto/x509 wildcard domain DNS constraint issues. Detailed Vulnerability Information 1. RootChmod Symlink Traversal Vulnerability (CVE-2026-23282) Description: On Linux systems, if the target of RootChmod is replaced by a symlink while a chmod operation is in progress, RootChmod may operate on the target pointed to by the symlink, even if that target lies outside the root directory. Cause: The Linux system call typically ignores the flag. RootChmod originally used this flag to prevent symlink traversal and verify that the target was within the root directory. However, issues arise if the target is replaced by a symlink after the check. Fix: On Linux, RootChmod now uses the system call (if available) and employs as a workaround. 2. HTML/Template Template Literal Context Tracking Vulnerability (CVE-2026-23289) Description: Context is not correctly tracked within JS template literals. Cause: Context is not correctly tracked within JS template literals, leading to potential incorrect content escaping when templates are used within branches. Additionally, template operations within JS template literals are not correctly tracking brace depth, resulting in incorrect escaping being applied. Impact: This may cause operations within JS template literals to be escaped incorrectly or not at all, potentially leading to XSS vulnerabilities. This only affects templates utilizing template operations within JS template literals. Fix: Fixed the context tracking and brace depth tracking logic. 3. crypto/x509 Wildcard Domain DNS Constraint Vulnerability Description: Excluded DNS constraints are not correctly applied to wildcard domains. Cause: When validating certificate chains containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs with different casing. For example, if a certificate contains the DNS name and the excluded DNS name is , the constraint will not be applied. Fix: Fixed the logic for applying DNS constraints to wildcard domains (ensuring case-insensitivity). Remediation Upgrade to Go 1.26.2 or Go 1.25.9 to apply the above security fixes.

Goal Reached Thanks to every supporter — we hit 100%!

Go Security Update: RootChmod Symlink Traversal, XSS in Templates, and crypto/x509 Wildcard Fix