Skip to main content

Go html/template EUVDEUVD-2026-28424

| CVE-2026-39823 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 Go GHSA-2283-wf8c-rw8r
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 08, 2026 - 15:23 vuln.today
CVSS changed
May 08, 2026 - 15:22 NVD
6.1 (MEDIUM)
Patch available
May 07, 2026 - 21:02 EUVD
CVE Published
May 07, 2026 - 19:41 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 19:41 nvd
MEDIUM 6.1

DescriptionCVE.org

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.

AnalysisAI

Cross-site scripting (XSS) vulnerability in Go's html/template library allows attackers to bypass URL escaping in meta tag content attributes by inserting ASCII whitespaces around the equals sign, enabling injection of malicious scripts into web applications. Affects Go 1.25.x before 1.25.10 and 1.26.x before 1.26.3. This is a regression from CVE-2026-27142 where the fix was incomplete, and exploitation requires user interaction (UI:R) but operates across security boundaries (S:C).

Technical ContextAI

The Go html/template package is the standard library's HTML templating engine, which automatically escapes values inserted into HTML templates to prevent injection attacks. The vulnerability exists in the URL escaper component that processes content attributes within HTML meta tags. When a URL contains ASCII whitespaces adjacent to an equals sign ('='), the escaper incorrectly fails to encode these characters, allowing an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript. This is a character-encoding edge case in the escaping logic; the root cause is incomplete validation of all whitespace variants that could alter HTML parsing semantics. The issue was introduced as a partial fix to CVE-2026-27142, indicating that the initial remediation did not account for all dangerous input patterns.

RemediationAI

Upgrade to Go 1.25.10 or later for the 1.25.x series, or to Go 1.26.3 or later for the 1.26.x series. These patched versions restore correct escaping of whitespace characters around equals signs in meta tag content attributes. Users unable to upgrade immediately should implement input validation on any user-controlled URLs destined for meta tag content attributes, specifically stripping or rejecting ASCII whitespace characters (space, tab, newline, carriage return) in positions immediately before or after equals signs. Additionally, adopt a Content Security Policy (CSP) header with script-src 'self' (or more restrictive) to provide defense-in-depth against XSS injection, though this does not replace the patch. For applications serving untrusted content in meta tags (e.g., social sharing previews), consider using a dedicated HTML sanitizer library (e.g., bluemonday for Go) in addition to template escaping, though note this adds processing overhead and must be carefully configured to not strip legitimate Open Graph metadata.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

EUVD-2026-28424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy