6.1
CVE-2026-27136
- EPSS 0.18%
- Veröffentlicht 22.05.2026 15:01:22
- Zuletzt bearbeitet 29.05.2026 15:27:46
- Quelle security@golang.org
- CVE-Watchlists
- Unerledigt
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.075 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-1021 Improper Restriction of Rendered UI Layers or Frames
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
https://go.dev/issue/79575
https://go.dev/cl/781685
https://pkg.go.dev/vuln/GO-2026-5030