Description
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Published: 2026-05-22
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in golang.org/x/net/html allows character references in a DOCTYPE to be misinterpreted, producing an altered HTML tree that can contain arbitrary JavaScript when rendered by the Render function. This enables client‑side script execution in the vulnerable application, which can be used for phishing, defacement or credential theft.

Affected Systems

Any Go application that imports golang.org/x/net/html and uses its Render routine to display or sanitize user‑supplied HTML is affected. No specific version exclusions are noted, so all current releases that have not yet been patched should be treated as vulnerable until a corrected release is available.

Risk and Exploitability

The CVSS score is 6.1 and the EPSS score is < 1%, indicating a very low but nonzero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote submission of malicious HTML through any input channel that is parsed and rendered by the library, enabling XSS attacks that affect the client and expose contextual information such as cookies or local storage.

Generated by OpenCVE AI on May 29, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update golang.org/x/net/html to the newest release that contains the patch once it becomes available.
  • Do not use Render to sanitize untrusted HTML; instead employ a dedicated sanitization library or Go's html/template package, which performs context‑aware escaping.
  • Implement strict input validation to allow only a curated set of safe tags and attributes before the HTML is parsed, while rejecting all others.
  • Keep track of golang.org releases and apply any updates that contain the fix as soon as they are released.

Generated by OpenCVE AI on May 29, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
CPEs cpe:2.3:a:golang:net:*:*:*:*:*:go:*:*

Mon, 25 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang net
Vendors & Products Golang
Golang net

Fri, 22 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 22 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Title Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
References

Subscriptions

Golang Net
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-22T17:46:20.366Z

Reserved: 2026-02-05T01:35:43.738Z

Link: CVE-2026-25681

cve-icon Vulnrichment

Updated: 2026-05-22T17:46:16.872Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-22T16:16:19.863

Modified: 2026-05-29T15:30:15.417

Link: CVE-2026-25681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:30:04Z

Weaknesses
  • CWE-1021

    Improper Restriction of Rendered UI Layers or Frames