6.1
CVE-2026-42502
- EPSS 0.18%
- Veröffentlicht 22.05.2026 15:01:21
- Zuletzt bearbeitet 29.05.2026 19:09:48
- Quelle security@golang.org
- CVE-Watchlists
- Unerledigt
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.075 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-1021 Improper Restriction of Rendered UI Layers or Frames
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
https://go.dev/issue/79572
https://go.dev/cl/781701
https://pkg.go.dev/vuln/GO-2026-5027