The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
Conclusion & alert: CVE-2023-39320 is rated Moderate Risk (64/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.41%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.80% | 1.41% | +0.62% |
| 2 | 2025-11-21 | 6.02% | 0.80% | -5.22% |
| 3 | 2025-11-18 | — | 6.02% | — |
Full EPSS history (21 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
critical | CVE-2023-39320: 1 source package rows (go); 8 state rows across 5 repos (3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 5, open 3. | https://security.alpinelinux.org/vuln/CVE-2023-39320 |
gentoo
|
high | CVE-2023-39320: 1 GLSA(s) (202311-09), 1 atom(s) (dev-lang/go); latest impact high. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2023-39320 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2023-39320 |
suse
|
high | CVE-2023-39320 severity important: SUSE including 32 source package names (1.21-2.34.5:go1.21-1.21.1-150000.1.6.1, 1.21-2.34.5:go1.21-doc-1.21.1-150000.1.6.1, …), 108 product×package rows across 16 product lines (Container bci/golang, SUSE Enterprise Storage 7.1, … (16 product lines)): Known Not Affected 55, Fixed 53. | https://www.suse.com/security/cve/CVE-2023-39320/ |
ubuntu
|
medium | CVE-2023-39320 medium priority: Ubuntu including 13 source packages (golang, golang-1.10, …), 130 status rows across 10 suites (bionic, focal, jammy, lunar, mantic, noble, oracular, trusty, upstream, xenial): DNE 87, not-affected 30, needs-triage 12, released 1. | https://ubuntu.com/security/CVE-2023-39320 |
| URL | Tags |
|---|---|
| https://go.dev/cl/526158 | Patch |
| https://go.dev/issue/62198 | Issue Tracking |
| https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ | Release Notes |
| https://pkg.go.dev/vuln/GO-2023-2042 | Vendor Advisory |
| https://security.gentoo.org/glsa/202311-09 | |
| https://security.netapp.com/advisory/ntap-20231020-0004/ | Third Party Advisory |