Skip to main content

Go x/net/html EUVDEUVD-2026-31452

| CVE-2026-25681 MEDIUM
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-05-22 Go GHSA-w9p8-pvxh-rxpj
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 18:00 vuln.today
CVSS changed
May 29, 2026 - 15:37 NVD
6.1 (None) 6.1 (MEDIUM)
CVE Published
May 22, 2026 - 15:01 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

AnalysisAI

Parser-differential XSS in golang.org/x/net/html allows sanitization bypass when applications parse-sanitize-reserialize HTML before rendering. The Go HTML parser produces an unexpected tree structure for certain crafted inputs, meaning a sanitizer that walks the first-pass parse tree and deems content safe may produce output that, when re-parsed by a browser or downstream renderer, yields a structurally different - and dangerous - DOM. Affected are all applications using golang.org/x/net/html versions prior to 0.55.0 that rely on this library as part of an HTML sanitization pipeline; no confirmed active exploitation (CISA KEV) and EPSS is 0.03%, but the attack class (mutation XSS) is well-understood and high-value for targeted web application attacks.

Technical ContextAI

The affected component is golang.org/x/net/html (CPE: cpe:2.3:a:golang.org/x/net:golang.org/x/net/html:*:*:*:*:*:*:*:*), the Go extended standard library's HTML5 parsing package, maintained by the Go team. The root cause is classified as CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), which here manifests as a parser-differential or mutation XSS (mXSS) condition: the library's Render function reconstructs an HTML string from a parsed tree, but under certain inputs the resulting serialization, when re-parsed - as a browser will do - produces a different DOM tree than was originally sanitized. This is a well-documented class of vulnerability in HTML sanitizers: if the sanitizer's parser and the browser's parser disagree on how to construct a tree from the same markup, a sanitizer can pass content it believes is clean, only for the renderer to interpret it as executable script. The issue is tracked upstream at go.dev/issue/79574 and the fix is in CL 781703.

RemediationAI

The primary fix is to upgrade golang.org/x/net/html to version 0.55.0 or later, which contains the patch per the Go vulnerability database (GO-2026-5029) and the upstream code change at https://go.dev/cl/781703. Run 'go get golang.org/x/net@v0.55.0' and rebuild. As a compensating control where immediate upgrade is not possible, applications should avoid using golang.org/x/net/html's Render output as trusted HTML for re-injection into a browser context - instead, treat any re-serialized output as untrusted and apply a secondary, browser-side Content Security Policy (CSP) with a strict script-src directive to limit XSS impact. Note that CSP is a defense-in-depth measure, not a substitute for patching, and nonce-based CSP may be bypassed if the application itself injects attacker-controlled content. The vendor advisory and patch details are at https://pkg.go.dev/vuln/GO-2026-5029.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed

Share

EUVD-2026-31452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy