Skip to content

github.com/Go-resty/resty/v2-v2.17.1: 7 vulnerabilities (highest severity is: 9.6) #80

Open
Open
github.com/Go-resty/resty/v2-v2.17.1: 7 vulnerabilities (highest severity is: 9.6)#80
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

Description

@mend-for-github-com
mend-for-github-com
bot
opened on May 11, 2026
Vulnerable Library - github.com/Go-resty/resty/v2-v2.17.1

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@⁠v/v0.49.0.mod

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (github.com/Go-resty/resty/v2-v2.17.1 version) Remediation Possible** Reachability
CVE-2026-39821 Critical 9.6 Not Defined 0.045% golang.org/x/net-v0.49.0 Transitive N/A*
CVE-2026-33814 High 7.5 Not Defined 0.018% golang.org/x/net-v0.49.0 Transitive N/A*
CVE-2026-25680 Medium 6.5 Not Defined 0.043% golang.org/x/net-v0.49.0 Transitive N/A*
CVE-2026-42506 Medium 6.1 Not Defined 0.031% golang.org/x/net-v0.49.0 Transitive N/A*
CVE-2026-42502 Medium 6.1 Not Defined 0.031% golang.org/x/net-v0.49.0 Transitive N/A*
CVE-2026-27136 Medium 6.1 Not Defined 0.031% golang.org/x/net-v0.49.0 Transitive N/A*
CVE-2026-25681 Medium 6.1 Not Defined 0.031% golang.org/x/net-v0.49.0 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-39821

Vulnerable Library - golang.org/x/net-v0.49.0

Library home page: https://proxy.golang.org/golang.org/x/net/@⁠v/v0.49.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@⁠v/v0.49.0.mod

Dependency Hierarchy:

  • github.com/Go-resty/resty/v2-v2.17.1 (Root Library)
    • golang.org/x/net-v0.49.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Publish Date: 2026-05-22

URL: CVE-2026-39821

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.045%

CVSS 3 Score Details (9.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5026

Release Date: 2026-05-22

Fix Resolution: golang.org/x/net - v0.55.0,https://github.com/golang/net.git - v0.55.0

CVE-2026-33814

Vulnerable Library - golang.org/x/net-v0.49.0

Library home page: https://proxy.golang.org/golang.org/x/net/@⁠v/v0.49.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@⁠v/v0.49.0.mod

Dependency Hierarchy:

  • github.com/Go-resty/resty/v2-v2.17.1 (Root Library)
    • golang.org/x/net-v0.49.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Publish Date: 2026-05-07

URL: CVE-2026-33814

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.018%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-07

Fix Resolution: github.com/golang/go - go1.26.3,golang.org/x/net - v0.53.0,https://github.com/golang/net.git - v0.53.0,github.com/golang/go - go1.25.10,https://github.com/golang/go.git - go1.25.10,https://github.com/golang/go.git - go1.26.3

CVE-2026-25680

Vulnerable Library - golang.org/x/net-v0.49.0

Library home page: https://proxy.golang.org/golang.org/x/net/@⁠v/v0.49.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@⁠v/v0.49.0.mod

Dependency Hierarchy:

  • github.com/Go-resty/resty/v2-v2.17.1 (Root Library)
    • golang.org/x/net-v0.49.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Publish Date: 2026-05-22

URL: CVE-2026-25680

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.043%

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5028

Release Date: 2026-05-22

Fix Resolution: golang.org/x/net - v0.55.0,https://github.com/golang/net.git - v0.55.0

CVE-2026-42506

Vulnerable Library - golang.org/x/net-v0.49.0

Library home page: https://proxy.golang.org/golang.org/x/net/@⁠v/v0.49.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@⁠v/v0.49.0.mod

Dependency Hierarchy:

  • github.com/Go-resty/resty/v2-v2.17.1 (Root Library)
    • golang.org/x/net-v0.49.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Publish Date: 2026-05-22

URL: CVE-2026-42506

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.031%

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/net.git - v0.55.0,golang.org/x/net - v0.55.0

CVE-2026-42502

Vulnerable Library - golang.org/x/net-v0.49.0

Library home page: https://proxy.golang.org/golang.org/x/net/@⁠v/v0.49.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@⁠v/v0.49.0.mod

Dependency Hierarchy:

  • github.com/Go-resty/resty/v2-v2.17.1 (Root Library)
    • golang.org/x/net-v0.49.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Publish Date: 2026-05-22

URL: CVE-2026-42502

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.031%

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/net.git - v0.55.0,golang.org/x/net - v0.55.0

CVE-2026-27136

Vulnerable Library - golang.org/x/net-v0.49.0

Library home page: https://proxy.golang.org/golang.org/x/net/@⁠v/v0.49.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@⁠v/v0.49.0.mod

Dependency Hierarchy:

  • github.com/Go-resty/resty/v2-v2.17.1 (Root Library)
    • golang.org/x/net-v0.49.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Publish Date: 2026-05-22

URL: CVE-2026-27136

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.031%

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-22

Fix Resolution: https://github.com/golang/net.git - v0.55.0,golang.org/x/net - v0.55.0

CVE-2026-25681

Vulnerable Library - golang.org/x/net-v0.49.0

Library home page: https://proxy.golang.org/golang.org/x/net/@⁠v/v0.49.0.zip

Path to dependency file: /go.mod

Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/golang.org/x/net/@⁠v/v0.49.0.mod

Dependency Hierarchy:

  • github.com/Go-resty/resty/v2-v2.17.1 (Root Library)
    • golang.org/x/net-v0.49.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Publish Date: 2026-05-22

URL: CVE-2026-25681

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.031%

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pkg.go.dev/vuln/GO-2026-5029

Release Date: 2026-05-22

Fix Resolution: golang.org/x/net - v0.55.0,https://github.com/golang/net.git - v0.55.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions