6.1
CVE-2026-25681
- EPSS 0.18%
- Veröffentlicht 22.05.2026 15:01:21
- Zuletzt bearbeitet 29.05.2026 15:30:15
- Quelle security@golang.org
- CVE-Watchlists
- Unerledigt
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.075 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-1021 Improper Restriction of Rendered UI Layers or Frames
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
https://go.dev/issue/79574
https://go.dev/cl/781703
https://pkg.go.dev/vuln/GO-2026-5029