Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Red Hat's Go RPM Macros Package Has Security Flaw
RHSA-2026:3668
Summary
A security issue has been found in Red Hat's Go RPM Macros package, which allows malicious code to be injected into RPM packages. This could potentially allow an attacker to execute malicious code on a system that installs a compromised package. Users should update to the latest version of the package to fix the issue.
What to do
- Update redhat go-filesystem to version 0:3.6.0-13.el9_7.
- Update redhat go-rpm-macros to version 0:3.6.0-13.el9_7.
- Update redhat go-rpm-macros-debuginfo to version 0:3.6.0-13.el9_7.
- Update redhat go-rpm-macros-debugsource to version 0:3.6.0-13.el9_7.
- Update redhat go-rpm-templates to version 0:3.6.0-13.el9_7.
- Update redhat go-srpm-macros to version 0:3.6.0-13.el9_7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| redhat | go-filesystem | <= 0:3.6.0-13.el9_7 | 0:3.6.0-13.el9_7 |
| redhat | go-rpm-macros | <= 0:3.6.0-13.el9_7 | 0:3.6.0-13.el9_7 |
| redhat | go-rpm-macros-debuginfo | <= 0:3.6.0-13.el9_7 | 0:3.6.0-13.el9_7 |
| redhat | go-rpm-macros-debugsource | <= 0:3.6.0-13.el9_7 | 0:3.6.0-13.el9_7 |
| redhat | go-rpm-templates | <= 0:3.6.0-13.el9_7 | 0:3.6.0-13.el9_7 |
| redhat | go-srpm-macros | <= 0:3.6.0-13.el9_7 | 0:3.6.0-13.el9_7 |
Original title
Red Hat Security Advisory: go-rpm-macros security update
osv CVSS3.1
7.5
- https://access.redhat.com/errata/RHSA-2026:3668 Vendor Advisory
- https://access.redhat.com/security/updates/classification/#important Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2434432 Third Party Advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_3668.j... Vendor Advisory
- https://access.redhat.com/security/cve/CVE-2025-61726 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2025-61726 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-61726 Vendor Advisory
- https://go.dev/cl/736712 Third Party Advisory
- https://go.dev/issue/77101 Third Party Advisory
- https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc Third Party Advisory
- https://pkg.go.dev/vuln/GO-2026-4341 Vendor Advisory
Published: 4 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026