Description
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Published: 2026-05-22
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in golang.org/x/net/html allows character references in a DOCTYPE to be misinterpreted, producing an altered HTML tree that can contain arbitrary JavaScript when rendered by the Render function. This enables client‑side script execution in the vulnerable application, which can be used for phishing, defacement or credential theft.

Affected Systems

Any Go application that imports golang.org/x/net/html and uses its Render routine to display or sanitize user‑supplied HTML is affected. No specific version exclusions are noted, so all current releases that have not yet been patched should be treated as vulnerable until a corrected release is available.

Risk and Exploitability

The CVSS score is 6.1 and EPSS data is not available, so a concrete exploitation probability is not provided. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote submission of malicious HTML through any input channel that is parsed and rendered by the library, enabling XSS attacks that affect the client and expose contextual information such as cookies or local storage.

Generated by OpenCVE AI on May 22, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update golang.org/x/net/html to the newest release that contains the patch once it becomes available.
  • Do not use Render to sanitize untrusted HTML; instead employ a dedicated sanitization library or Go's html/template package, which performs context‑aware escaping.
  • Implement strict input validation to allow only a curated set of safe tags and attributes before the HTML is parsed, while rejecting all others.
  • Keep track of golang.org releases and apply any updates that contain the fix as soon as they are released.

Generated by OpenCVE AI on May 22, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 22 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Title Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-22T17:46:20.366Z

Reserved: 2026-02-05T01:35:43.738Z

Link: CVE-2026-25681

cve-icon Vulnrichment

Updated: 2026-05-22T17:46:16.872Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T21:30:16Z

Weaknesses

No weakness.