Code execution vulnerability in SWIG code generation in cmd/go

Description

SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

Affected Products

Vendor	Product	Versions
go toolchain	cmd/go	0, 1.26.0-0

References

Related News (1 articles)

Tier C

VulDB2d ago

CVE-2026-27140 | cmd-go up to 1.25.8/1.26.1 on Go SWIG File Parser trust boundary violation

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.25.91.26.2

PublishedApr 8, 2026

Last enriched2d agov2

Trending Score31

Source articles1

Independent1

Info Completeness7/14

Missing: cvss, epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (1)

Vulnerability Timeline

CVE Published

Apr 8, 2026

Discovered by ZDM

Apr 8, 2026

Updated: description, severity, affectedVersions, activelyExploited

Apr 8, 2026

Actively Exploited

Apr 9, 2026

Patch Available

Apr 9, 2026

Version History

Last enriched 2d ago

v2Tier C2d ago

Updated severity to CRITICAL, added affected versions 1.25.8 and 1.26.1, and corrected exploit availability to false.

descriptionseverityaffectedVersionsactivelyExploited

via VulDB

v12d ago

Initial creation

Code execution vulnerability in SWIG code generation in cmd/go

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (1)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History