Skip to main content

Golang Org X Net Html

5 CVEs product

Monthly

CVE-2026-27136 Go MEDIUM PATCH This Month

Mutation XSS in golang.org/x/net/html allows attackers to bypass HTML sanitization by exploiting divergence between the parsed and rendered HTML tree. Applications that parse untrusted HTML using this library, sanitize the resulting tree, and then re-render it are vulnerable - the rendered output can differ structurally from the sanitized intermediate representation, reintroducing attacker-controlled script execution. No public exploit has been identified at time of analysis, and CISA KEV listing is absent, but the network-accessible, no-authentication attack path with changed scope makes this relevant to any Go application handling user-supplied HTML.

XSS Golang Org X Net Html Suse
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25681 Go MEDIUM PATCH This Month

Parser-differential XSS in golang.org/x/net/html allows sanitization bypass when applications parse-sanitize-reserialize HTML before rendering. The Go HTML parser produces an unexpected tree structure for certain crafted inputs, meaning a sanitizer that walks the first-pass parse tree and deems content safe may produce output that, when re-parsed by a browser or downstream renderer, yields a structurally different - and dangerous - DOM. Affected are all applications using golang.org/x/net/html versions prior to 0.55.0 that rely on this library as part of an HTML sanitization pipeline; no confirmed active exploitation (CISA KEV) and EPSS is 0.03%, but the attack class (mutation XSS) is well-understood and high-value for targeted web application attacks.

XSS Golang Org X Net Html Suse
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25680 Go MEDIUM PATCH This Month

Excessive CPU consumption in the golang.org/x/net/html package's HTML parser allows remote attackers to cause denial of service by supplying crafted HTML input to any Go application that parses untrusted markup using this library. All versions before 0.55.0 are confirmed affected per EUVD-2026-31447 and the Go vulnerability database (GO-2026-5028). No active exploitation has been identified - CISA SSVC rates exploitation as 'none' and the EPSS score of 0.04% (13th percentile) indicates very low observed exploitation probability at time of analysis.

Denial Of Service Golang Org X Net Html Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42502 Go MEDIUM PATCH This Month

Mutation XSS in Go's golang.org/x/net/html package allows attackers to bypass HTML sanitization by exploiting a discrepancy between how the html.Parse() function constructs an internal tree and how html.Render() serializes it back. Applications that rely on this package to sanitize untrusted HTML before display are vulnerable: maliciously crafted input can survive sanitization and execute JavaScript in victims' browsers when the rendered output is viewed. No public exploit exists at time of analysis, though the Go security team has issued a fix in version 0.55.0.

XSS Golang Org X Net Html Suse
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-42506 Go MEDIUM POC PATCH This Month

XSS sanitization bypass in Go's extended networking HTML parser (golang.org/x/net/html) allows remote unauthenticated attackers to execute cross-site scripting payloads against victims of Go web applications that rely on the library's parse-sanitize-render pipeline. The vulnerability arises because html.Render() can serialize a parsed and sanitized node tree into HTML output that structurally diverges from the sanitized intermediate representation, causing attacker-controlled content to re-materialize in rendered output. No active exploitation is confirmed (CISA KEV absent, EPSS 0.03%), but any Go application using this library as a sanitization layer is structurally exposed until upgraded to version 0.55.0.

XSS Golang Org X Net Html Suse
NVD VulDB GitHub
CVSS 3.1
6.1
EPSS
0.0%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Mutation XSS in golang.org/x/net/html allows attackers to bypass HTML sanitization by exploiting divergence between the parsed and rendered HTML tree. Applications that parse untrusted HTML using this library, sanitize the resulting tree, and then re-render it are vulnerable - the rendered output can differ structurally from the sanitized intermediate representation, reintroducing attacker-controlled script execution. No public exploit has been identified at time of analysis, and CISA KEV listing is absent, but the network-accessible, no-authentication attack path with changed scope makes this relevant to any Go application handling user-supplied HTML.

XSS Golang Org X Net Html Suse
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Parser-differential XSS in golang.org/x/net/html allows sanitization bypass when applications parse-sanitize-reserialize HTML before rendering. The Go HTML parser produces an unexpected tree structure for certain crafted inputs, meaning a sanitizer that walks the first-pass parse tree and deems content safe may produce output that, when re-parsed by a browser or downstream renderer, yields a structurally different - and dangerous - DOM. Affected are all applications using golang.org/x/net/html versions prior to 0.55.0 that rely on this library as part of an HTML sanitization pipeline; no confirmed active exploitation (CISA KEV) and EPSS is 0.03%, but the attack class (mutation XSS) is well-understood and high-value for targeted web application attacks.

XSS Golang Org X Net Html Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Excessive CPU consumption in the golang.org/x/net/html package's HTML parser allows remote attackers to cause denial of service by supplying crafted HTML input to any Go application that parses untrusted markup using this library. All versions before 0.55.0 are confirmed affected per EUVD-2026-31447 and the Go vulnerability database (GO-2026-5028). No active exploitation has been identified - CISA SSVC rates exploitation as 'none' and the EPSS score of 0.04% (13th percentile) indicates very low observed exploitation probability at time of analysis.

Denial Of Service Golang Org X Net Html Suse
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Mutation XSS in Go's golang.org/x/net/html package allows attackers to bypass HTML sanitization by exploiting a discrepancy between how the html.Parse() function constructs an internal tree and how html.Render() serializes it back. Applications that rely on this package to sanitize untrusted HTML before display are vulnerable: maliciously crafted input can survive sanitization and execute JavaScript in victims' browsers when the rendered output is viewed. No public exploit exists at time of analysis, though the Go security team has issued a fix in version 0.55.0.

XSS Golang Org X Net Html Suse
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

XSS sanitization bypass in Go's extended networking HTML parser (golang.org/x/net/html) allows remote unauthenticated attackers to execute cross-site scripting payloads against victims of Go web applications that rely on the library's parse-sanitize-render pipeline. The vulnerability arises because html.Render() can serialize a parsed and sanitized node tree into HTML output that structurally diverges from the sanitized intermediate representation, causing attacker-controlled content to re-materialize in rendered output. No active exploitation is confirmed (CISA KEV absent, EPSS 0.03%), but any Go application using this library as a sanitization layer is structurally exposed until upgraded to version 0.55.0.

XSS Golang Org X Net Html Suse
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy