Skip to main content

Go x/net/html CVE-2026-42502

| EUVDEUVD-2026-31448 MEDIUM
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-05-22 Go GHSA-wrh2-89vg-4j9g
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 21:30 vuln.today
CVSS changed
May 29, 2026 - 19:22 NVD
6.1 (None) 6.1 (MEDIUM)
CVE Published
May 22, 2026 - 15:01 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

AnalysisAI

Mutation XSS in Go's golang.org/x/net/html package allows attackers to bypass HTML sanitization by exploiting a discrepancy between how the html.Parse() function constructs an internal tree and how html.Render() serializes it back. Applications that rely on this package to sanitize untrusted HTML before display are vulnerable: maliciously crafted input can survive sanitization and execute JavaScript in victims' browsers when the rendered output is viewed. No public exploit exists at time of analysis, though the Go security team has issued a fix in version 0.55.0.

Technical ContextAI

The affected component is the golang.org/x/net/html package (CPE: cpe:2.3:a:golang.org/x/net:golang.org/x/net/html:*:*:*:*:*:*:*:*), Go's extended HTML parsing and rendering library. The root cause is classified as CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), reflecting a parse-render mismatch: the parser constructs an HTML tree that, when serialized back via Render, produces structurally different HTML than what was originally parsed. This is the classic mutation XSS (mXSS) class of vulnerability. Applications commonly use this package in a sanitize-then-render pipeline: parse untrusted HTML, walk the tree to remove dangerous nodes, then render back to a string for display. Because the Render output can differ structurally from the parsed input, a sanitizer may inspect a safe tree while the rendered output re-introduces executable content the sanitizer never saw.

RemediationAI

Upgrade golang.org/x/net to version 0.55.0 or later, which contains the code change at https://go.dev/cl/781701 that corrects the parse-render mismatch. The Go announce list post at https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 and the vulnerability database entry at https://pkg.go.dev/vuln/GO-2026-5027 provide full upgrade guidance. Run 'go get golang.org/x/net@v0.55.0' and update your go.sum accordingly. If an immediate upgrade is not feasible, applications should avoid using html.Render to produce output after sanitizing with html.Parse, and instead use a dedicated, well-maintained HTML sanitizer library that does not depend on this round-trip pattern. Disabling the affected sanitization flow and rejecting all untrusted HTML input is the most conservative compensating control, though it may break legitimate rich-text features.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed

Share

CVE-2026-42502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy