GO-2026-5030

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2026-5030

Import Source

https://vuln.go.dev/ID/GO-2026-5030.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2026-5030

Aliases

CVE-2026-27136

Related

CGA-93vf-2mj3-5w9p

Published

2026-05-22T02:46:43Z

Modified

2026-05-30T05:14:17.711727465Z

Summary

Invoking duplicate attributes can cause XSS in golang.org/x/net/html

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2026-5030"
}

References

Credits

- ensy

Affected packages

Go / golang.org/x/net

Package

Name: golang.org/x/net; View open source insights on deps.dev
Purl: pkg:golang/golang.org/x/net

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.55.0

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/net/html",
            "symbols": [
                "Parse",
                "ParseFragment",
                "ParseFragmentWithOptions",
                "ParseWithOptions",
                "parser.parse"
            ]
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2026-5030.json"