Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.
Conclusion & alert: CVE-2023-24531 is rated Moderate Risk (57.9/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 0.83%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.60% | 0.83% | +0.23% |
| 2 | 2026-05-06 | 0.48% | 0.60% | +0.12% |
| 3 | 2025-11-21 | — | 0.48% | — |
Full EPSS history (13 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2023-24531 not yet assigned priority: Debian including 2 source packages (golang-1.15, golang-1.19), 2 status rows across 2 suites (bookworm, bullseye): open 2. | https://security-tracker.debian.org/tracker/CVE-2023-24531 |
suse
|
medium | CVE-2023-24531 severity moderate: SUSE including 9 source package names (go, go-doc, …), 75 product×package rows across 13 product lines (SUSE Enterprise Storage 7.1, SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS, … (13 product lines)): Known Not Affected 75. | https://www.suse.com/security/cve/CVE-2023-24531/ |
ubuntu
|
medium | CVE-2023-24531 medium priority: Ubuntu including 14 source packages (golang, golang-1.10, …), 123 status rows across 11 suites (bionic, focal, jammy, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 79, needs-triage 32, released 5, not-affected 4, ignored 3. | https://ubuntu.com/security/CVE-2023-24531 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||