CVE-2025-10547

CVE-2025-10547 affects DrayTek Vigor Routers running DrayOS. An uninitialized variable in the HTTP CGI request arguments processing component can cause memory corruption, enabling remote code execution (RCE). Impact, per sources, includes unauthenticated attacker access via LAN or WAN (if EasyVPN...

CVE-2025-10547 CVE-2025-10547

An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption...

GO-2021-0143

When a Handler does not explicitly set the Content-Type header, the net/http/cgi and net/http/fcgi packages default to "text/html", which can cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response...

GO-2021-0226 Cross-site scripting in net/http/cgi and net/http/fcgi

When a Handler does not explicitly set the Content-Type header, the the package would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response. The Content-Type header is now set based on the contents of the...

CentOS 8 : go-toolset:rhel8 (CESA-2020:5493)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:5493 advisory. - golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS CVE-2020-24553 - golang: math/big: panic during recursive...

Moderate: Red Hat Security Advisory: go-toolset:rhel8 security update

An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Updated golang packages fix a security vulnerability

A flaw was found in Go standard library packages. Both the net/http/cgi and net/http/fcgi packages use a default Content-Type response header value of "text/html", rather than "text/plain". An attacker could exploit this in applications using these packages by uploading crafted files, allowing fo...

FreeBSD : go -- net/http/cgi, net/http/fcgi: XSS (XSS) when Content-Type is not specified (67b050ae-ec82-11ea-9071-10c37b4ac2ea)

The Go project reports : When a Handler does not explicitly set the Content-Type header, both CGI implementations default to 'text/html'. If an attacker can make a server generate content under their control e.g. a JSON containing user data or an uploaded image file this might be mistakenly...

CVE-2019-16200

GNU Serveez through 0.2.2 has an Information Leak. An attacker may send an HTTP POST request to the /cgi-bin/reader URI. The attacker must include a Content-length header with a large positive value that, when represented in 32 bit binary, evaluates to a negative number. The problem exists in the...

Heap overflow

GNU Serveez through 0.2.2 has an Information Leak. An attacker may send an HTTP POST request to the /cgi-bin/reader URI. The attacker must include a Content-length header with a large positive value that, when represented in 32 bit binary, evaluates to a negative number. The problem exists in the...

HTTPoxy Vulnerability

net/http/cgi and net/http in github.com/golang/go is vulnerable to httpoxy attacks. The vulnerability exists because it trusts the HTTPPROXY environment variable, and allows the configuration of proxies by setting the environment variables HTTPPROXY and HTTPSPROXY without checking if CGI is in us...

Exploit for OS Command Injection in Gnu Bash

BadBash ======= CVE-2014-6271 ShellShock RCE PoC tool =====...