Chrisd8088

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.17.11 Go versions prior to 1.18.3 **Description** The issue allows for code injection in Cmd.Start in os/exec, enabling the execution of any binaries in the working directory named either "..com" or "..exe" by calling `Cmd.Run`, `Cmd.Start`, `Cmd.Output`, or `Cmd.CombinedOutput` when `Cmd.Path` is unset. This occurs on Windows. **Recommendations** For Go versions prior to 1.17.11, update to Go 1.17.11 or later to resolve the issue. For Go versions prior to 1.18.3, update to Go 1.18.3 or later to resolve the issue. As a temporary workaround, consider setting `Cmd.Path` to a specific executable to avoid unintentional execution of binaries in the working directory.