Skip to main content

golang.org/x/net/html EUVDEUVD-2026-31446

| CVE-2026-42506 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-22 Go GHSA-cg87-vwwh-xvgj
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 21:31 vuln.today
CVSS changed
May 29, 2026 - 19:07 NVD
6.1 (None) 6.1 (MEDIUM)
CVE Published
May 22, 2026 - 15:01 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

AnalysisAI

XSS sanitization bypass in Go's extended networking HTML parser (golang.org/x/net/html) allows remote unauthenticated attackers to execute cross-site scripting payloads against victims of Go web applications that rely on the library's parse-sanitize-render pipeline. The vulnerability arises because html.Render() can serialize a parsed and sanitized node tree into HTML output that structurally diverges from the sanitized intermediate representation, causing attacker-controlled content to re-materialize in rendered output. No active exploitation is confirmed (CISA KEV absent, EPSS 0.03%), but any Go application using this library as a sanitization layer is structurally exposed until upgraded to version 0.55.0.

Technical ContextAI

The affected component is golang.org/x/net/html, Go's extended HTML parsing library implementing an HTML5-compliant tokenizer and tree builder (CPE: cpe:2.3:a:golang.org/x/net:golang.org/x/net/html:*:*:*:*:*:*:*:*). The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation). Applications commonly adopt a parse-sanitize-render pipeline: raw HTML is parsed into a node tree, unwanted nodes or attributes are removed via tree traversal, and the cleaned tree is serialized back to HTML via Render(). The flaw is that Render() can produce output that does not faithfully represent the sanitized tree - likely due to normalization differences, implicit HTML5 tree corrections, or serialization edge cases - allowing attacker-controlled markup to survive into final output. This is consistent with the class of vulnerability known as mutation XSS (mXSS), where parser differentials between sanitization and rendering stages invalidate sanitization guarantees. The issue is tracked upstream at go.dev/issue/79571 and addressed by code change go.dev/cl/781700.

RemediationAI

Upgrade golang.org/x/net to version 0.55.0 or later by running go get golang.org/x/net@v0.55.0 and rebuilding all affected services. The fix is documented at pkg.go.dev/vuln/GO-2026-5025 and implemented in code change https://go.dev/cl/781700. For teams unable to patch immediately, the most effective compensating control is replacing the parse-sanitize-render pipeline with a dedicated HTML sanitization library such as bluemonday, which serializes output independently of golang.org/x/net/html's Render() function, eliminating the parser-differential attack surface entirely. Alternatively, applying a strict allow-list output encoding pass after Render() can reduce exposure, but adds complexity and is not a substitute for patching. Deploying strict Content Security Policy headers (script-src 'self' or nonce-based) limits the impact of any XSS that does execute, though CSP is a defense-in-depth layer and should not be treated as primary mitigation. The golang-announce mailing list entry at https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 contains additional advisory context.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed

Share

EUVD-2026-31446 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy