6.1
CVE-2026-42506
- EPSS 0.19%
- Veröffentlicht 22.05.2026 15:01:21
- Zuletzt bearbeitet 29.05.2026 19:06:20
- Quelle security@golang.org
- CVE-Watchlists
- Unerledigt
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.085 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
https://go.dev/issue/79571
https://go.dev/cl/781700
https://pkg.go.dev/vuln/GO-2026-5025