GO-2026-5025

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2026-5025

Import Source

https://vuln.go.dev/ID/GO-2026-5025.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2026-5025

Aliases

CVE-2026-42506

Related

CGA-c62r-25jr-fmqg

Published

2026-05-22T02:46:43Z

Modified

2026-05-30T05:14:17.563517047Z

Summary

Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2026-5025"
}

References

Credits

- ensy

Affected packages

Go / golang.org/x/net

Package

Name: golang.org/x/net; View open source insights on deps.dev
Purl: pkg:golang/golang.org/x/net

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.55.0

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/net/html",
            "symbols": [
                "Parse",
                "ParseFragment",
                "ParseFragmentWithOptions",
                "ParseWithOptions",
                "parser.parse"
            ]
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2026-5025.json"