fix(security): upgrade Go from 1.25.11 to 1.26.4 to fix 23 stdlib CVEs

[theakshaypant]

📝 Description of the Change

Upgrades the Go toolchain from 1.25.11 → 1.26.4 to address 23 Go standard library CVEs.
go 1.25.11 is the latest patch release in the 1.25.x series — these vulnerabilities require Go 1.26.x and cannot be backported to 1.25.x.

Changes: go.mod (go 1.25.11 → go 1.26.4). No dependency version changes; go.sum is unchanged.

CVEs Fixed (23 total)

CVE	GOVULN ID	Package	Summary
CVE-2026-27137	GO-2026-4599	crypto/x509	Incorrect enforcement of email constraints
CVE-2026-27138	GO-2026-4600	crypto/x509	Panic in name constraint checking for malformed certs
CVE-2026-25679	GO-2026-4601	net/url	Incorrect parsing of IPv6 host literals
CVE-2026-27139	GO-2026-4602	os	FileInfo can escape from a Root
CVE-2026-27142	GO-2026-4603	html/template	URLs in meta content attribute actions not escaped
CVE-2026-32282	GO-2026-4864	os	TOCTOU permits root escape via Root.Chmod
CVE-2026-32289	GO-2026-4865	html/template	JsBraceDepth context tracking bug (XSS)
CVE-2026-33810	GO-2026-4866	crypto/x509	Case-sensitive excludedSubtrees causes auth bypass
CVE-2026-32288	GO-2026-4869	archive/tar	Unbounded allocation for old GNU sparse
CVE-2026-32283	GO-2026-4870	crypto/tls	Unauthenticated TLS 1.3 KeyUpdate causes connection retention
CVE-2026-32281	GO-2026-4946	crypto/x509	Inefficient policy validation
CVE-2026-32280	GO-2026-4947	crypto/x509	Unexpected work during chain building
CVE-2026-33814	GO-2026-4918	net/http	Infinite loop in HTTP/2 transport on bad SETTINGS_MAX_FRAME_SIZE
CVE-2026-39836	GO-2026-4971	net	Panic in Dial/LookupPort when handling NUL byte (Windows)
CVE-2026-39825	GO-2026-4976	net/http	ReverseProxy forwards queries with excess parameters
CVE-2026-42499	GO-2026-4977	net/mail	Quadratic string concatenation in consumePhrase
CVE-2026-39826	GO-2026-4980	html/template	Escaper bypass leads to XSS
CVE-2026-33811	GO-2026-4981	net	Crash when handling long CNAME response
CVE-2026-39823	GO-2026-4982	html/template	Bypass of meta content URL escaping causes XSS
CVE-2026-39820	GO-2026-4986	net/mail	Quadratic string concatenation in consumeComment
CVE-2026-27145	GO-2026-5037	crypto/x509	Inefficient candidate hostname parsing
CVE-2026-42504	GO-2026-5038	mime	Quadratic complexity in WordDecoder.DecodeHeader
CVE-2026-42507	GO-2026-5039	net/textproto	Arbitrary inputs in errors without escaping

How this change was made

1. Updated go 1.25.11 → go 1.26.4 in go.mod
2. Ran GOTOOLCHAIN=go1.26.4 go mod tidy — no dependency changes
3. Ran GOTOOLCHAIN=go1.26.4 go mod verify — all modules verified
4. Built: GOTOOLCHAIN=go1.26.4 go build ./... — success
5. Tested: GOTOOLCHAIN=go1.26.4 go test ./pkg/... — all tests pass

Commits

Commit	Description
e78b7c7	fix(security): upgrade Go from 1.25.11 to 1.26.4 to fix 23 stdlib CVEs

👨🏻‍ Linked Jira

N/A — CVEs discovered via Go vulnerability database (vuln.go.dev) direct check.

🔗 Linked GitHub Issue

N/A

🧪 Testing Strategy

• Unit tests (go test ./pkg/... — all passed)
• Build verification (go build ./... — success)
• go mod verify — all modules verified
• Integration tests (will run in CI)
• End-to-end tests (will run in CI)

🤖 AI Assistance

This PR was created by the Ambient CVE Fixer workflow (Claude Sonnet 4.6).
CVEs were identified by querying the Go vulnerability database (vuln.go.dev) directly.

---

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: theakshaypant / name: Akshay Pant (268c96d)

[gemini-code-assist]

Code Review

This pull request updates the Go version in the go.mod file from 1.25.11 to 1.26.4. There are no review comments, and I have no additional feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.