CVE-2026-41492: Go Incomplete Debug Cmdline Filter Leaks Expvar Vars
This HTTP handler intercepts only "/debug/pprof/cmdline" before delegating every other path to http.DefaultServeMux.ServeHTTP. Go's expvar package registers an unauthenticated "/debug/vars" handler on http.DefaultServeMux at package init time and publishes os.Args under the JSON key "cmdline". If expvar (or anything that imports it, e.g. a metrics package us
greprules fetch cve-2026-41492-go-incomplete-debug-cmdline-filter-leaks-expvar-vars --engine opengrepDescription
This HTTP handler intercepts only "/debug/pprof/cmdline" before delegating every other path to http.DefaultServeMux.ServeHTTP. Go's expvar package registers an unauthenticated "/debug/vars" handler on http.DefaultServeMux at package init time and publishes os.Args under the JSON key "cmdline". If expvar (or anything that imports it, e.g. a metrics package us
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.