Release date:
2026-06-10 08:41:00 UTC
Description:
- CVE-2026-39825: have net/http/httputil.ReverseProxy reencode the
forwarded query when a request carries more than urlmaxqueryparams
(default 10000) parameters or a non-default GODEBUG=urlmaxqueryparams
is set, so query parameters hidden from a Rewrite hook by the parse
limit can no longer be smuggled to the backend
- CVE-2026-39826: treat a
