Description
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Published: 2026-05-22
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can exploit the golang.org/x/net/html parser by injecting duplicate attributes into HTML input. This causes the parser to build an unexpected tree that retains malicious script elements, allowing the rendered content to execute client‑side code in a victim’s browser.

Affected Systems

The vulnerability affects the golang.org/x/net/html package from the Go standard library. No specific product versions are listed in the CNA data, so any deployment using this package before the fix is potentially impacted. Users must verify the version of the package they are running and upgrade to the latest release once it contains the remediation.

Risk and Exploitability

The exploit requires that an application parse user‑controlled HTML with Render. The CVSS score of 6.1 indicates a high severity level for this flaw. While the EPSS score is unavailable and the CVE is not in the CISA KEV catalog, the inherent risk of XSS remains significant, particularly for web applications that rely on this parser for user‑generated content. The likely attack vector is through any form or API that accepts raw HTML input and renders it without additional sanitization. Administrators should assess whether the application exposes a pathway for such input and consider the severity of a potential XSS failure in their environment.

Generated by OpenCVE AI on May 22, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the golang.org/x/net/html package to the latest released version containing the XSS fix
  • Validate or sanitize HTML input to remove duplicate attributes before parsing or rendering
  • Limit the set of allowed tags and attributes in the rendered output or use a dedicated sanitizer that rejects malicious patterns

Generated by OpenCVE AI on May 22, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 22 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 22 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Title Invoking duplicate attributes can cause XSS in golang.org/x/net/html
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-22T16:59:52.807Z

Reserved: 2026-02-17T19:57:28.434Z

Link: CVE-2026-27136

cve-icon Vulnrichment

Updated: 2026-05-22T16:59:49.166Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T20:30:06Z

Weaknesses