Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
{ "availability": "No subscription required", "ubuntu_priority": "low", "binaries": [ { "golang-1.10": "1.10.4-2ubuntu1~16.04.2", "golang-1.10-go": "1.10.4-2ubuntu1~16.04.2", "golang-1.10-src": "1.10.4-2ubuntu1~16.04.2", "golang-1.10-doc": "1.10.4-2ubuntu1~16.04.2", "golang-1.10-go-dbgsym": "1.10.4-2ubuntu1~16.04.2" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "low", "binaries": [ { "golang-1.10": "1.10.4-2ubuntu1~18.04.2", "golang-1.10-go": "1.10.4-2ubuntu1~18.04.2", "golang-1.10-src": "1.10.4-2ubuntu1~18.04.2", "golang-1.10-doc": "1.10.4-2ubuntu1~18.04.2", "golang-1.10-go-dbgsym": "1.10.4-2ubuntu1~18.04.2" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "low", "binaries": [ { "golang-1.14-src": "1.14.3-2ubuntu2~20.04.2", "golang-1.14-go-dbgsym": "1.14.3-2ubuntu2~20.04.2", "golang-1.14-doc": "1.14.3-2ubuntu2~20.04.2", "golang-1.14-go": "1.14.3-2ubuntu2~20.04.2", "golang-1.14": "1.14.3-2ubuntu2~20.04.2" } ] }