The vulnerabilities are in Go's net and net/http packages (v1.26.2)

[Ranganathan95]

The vulnerabilities are in Go's net and net/http packages (v1.26.2)

1. CVE-2026-39836
2. CVE-2026-33814
3. CVE-2026-33811

net & net/http - Affected version 1.26.2

fixed in 1.25.10, 1.26.3

[dmikusa]

Please see https://github.com/orgs/paketo-buildpacks/discussions/401

—-

The present plan is to pick those up in next weeks release cycle.