The Wire · Showcase
GO 1.27 RELEASE CANDIDATE LANDS, VULNDB PLUGS TWO NEW HOLES
By RepoJournal · Filed · About Go
Go 1.27 RC1 is available now [ref:11], and the vulnerability database just sealed two fresh CVEs while patching an insufficient fix from last month [ref:1] [ref:2] [ref:3].
The toolchain is ready for testing [5], with stdlib indexes refreshed across the ecosystem. On the security front, the vulndb team added GO-2026-5062 and GO-2026-5061 in quick succession [2] [3], then backfilled a followup fix for GO-2026-4961 after the original patch proved insufficient [4]. This is typical hardening work ahead of the final release, so audit your dependencies now if you're on any of those affected versions. Meanwhile, the http package gained trailer validation to block header injection attacks [6], a breaking change that tightens HTTP/1 request and response handling. The compiler saw SIMD repairs [7], a PGO profile refresh [8], and Plan 9 environment inheritance fixes [9] to ensure testdata builds work everywhere. A typo fix in the types2 comment landed too [10], the kind of polish that accumulates across releases.
Action items
- → Download Go 1.27 RC1 and test your services against the new trailer validation in net/http golang/go [plan]
- → Check vulndb for GO-2026-5062, GO-2026-5061, and updated GO-2026-4961 to see if any of your dependencies are affected golang/vulndb [monitor]
- → Review http.Header and http.Response code for trailer usage if you're writing custom HTTP implementations golang/go [plan]
References
- [1] dl: add go1.27rc1 golang/dl
- [2] data/reports: add GO-2026-5062 golang/vulndb
- [3] data/reports: add GO-2026-5061 golang/vulndb
- [4] data/reports: update fix version in GO-2026-4961 golang/vulndb
- [5] internal/stdlib: update stdlib index for Go 1.27 Release Candidate 1 golang/tools
- [6] net/http: validate trailers when writing requests and responses golang/go
- [7] simd: repair missed StorePart-returns-int in generated code golang/go
- [8] cmd/compile: update default PGO profile golang/go
- [9] simd: set GOEXPERIMENT in testdata tests golang/go
- [10] cmd/compile: fix typo in comment golang/go
FAQ
- What changed in Go on June 19, 2026?
- Go 1.27 RC1 is available now , and the vulnerability database just sealed two fresh CVEs while patching an insufficient fix from last month .
- What should Go teams do about it?
- Download Go 1.27 RC1 and test your services against the new trailer validation in net/http • Check vulndb for GO-2026-5062, GO-2026-5061, and updated GO-2026-4961 to see if any of your dependencies are affected • Review http.Header and http.Response code for trailer usage if you're writing custom HTTP implementations
- Which Go repositories shipped on June 19, 2026?
- golang/dl, golang/vulndb, golang/tools, golang/go