CVE-2026-27142
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Analysis
HTML meta tags with http-equiv="refresh" attributes fail to properly escape URLs inserted through certain actions, enabling cross-site scripting (XSS) attacks against applications using this functionality. An unauthenticated attacker can exploit this to execute arbitrary JavaScript in users' browsers by crafting malicious URLs. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications using dynamic meta tag refresh functionality and assess exposure scope. Within 7 days: Implement input validation and output encoding for all URL parameters inserted into meta tags; deploy WAF rules to block suspicious meta refresh patterns. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today