GO-2026-5029

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2026-5029

Import Source

https://vuln.go.dev/ID/GO-2026-5029.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2026-5029

Aliases

CVE-2026-25681

Related

CGA-3w5r-2f79-3p9x

Published

2026-05-22T02:46:43Z

Modified

2026-05-30T05:14:17.199855080Z

Summary

Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2026-5029",
    "review_status": "REVIEWED"
}

References

Credits

- ensy

Affected packages

Go / golang.org/x/net

Package

Name: golang.org/x/net; View open source insights on deps.dev
Purl: pkg:golang/golang.org/x/net

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.55.0

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/net/html",
            "symbols": [
                "Parse",
                "ParseFragment",
                "ParseFragmentWithOptions",
                "ParseWithOptions",
                "parser.parse"
            ]
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2026-5029.json"