Description
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Published: 2026-03-06
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting exploitation
Action: Immediate Patch
AI Analysis

Impact

The Go standard library’s html/template package does not escape URLs that are inserted into the content attribute of meta tags. If a template renders a meta tag containing http-equiv="refresh" with a URL supplied from user input, the unescaped URL can be hijacked to inject arbitrary payloads, enabling a client‑side cross‑site scripting (XSS) attack. The flaw involves CWE‑79 and allows an attacker to execute arbitrary JavaScript in the context of the victim’s browser.

Affected Systems

The affected component is the Go standard library’s html/template package used when rendering web pages. No specific product version is mentioned in the public data, but any Go installation that uses html/template to generate meta tags with dynamic URLs is potentially vulnerable until the library is updated to the patched release.

Risk and Exploitability

The flaw is scored as CVSS 6.1, indicating a moderate severity, and the EPSS score is below 1 %, suggesting low current exploitation probability. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would require the attacker to influence the content passed to the template, such as through a form or URL parameter, and the attack vector is most likely client‑side via a web page that includes a meta‑refresh tag. Successful exploitation could lead to credential theft, session hijacking, or other XSS‑based damage in the victim’s browser.

Generated by OpenCVE AI on April 16, 2026 at 04:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Go runtime and compiler to the latest stable release that includes the fix for unescaped URLs in meta content attributes.
  • Ensure the GODEBUG environment variable htmlmetacontenturlescape is set to its default value (1) so that URLs are escaped, and avoid disabling this setting.
  • Review and modify any template code that generates meta tags with dynamic URLs; escape or validate the URLs using standard library functions before inserting them into the content attribute, and remove http-equiv="refresh" unless absolutely necessary.

Generated by OpenCVE AI on April 16, 2026 at 04:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library html/template
Vendors & Products Go Standard Library
Go Standard Library html/template

Fri, 06 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Title URLs in meta content attribute actions are not escaped in html/template
References

Subscriptions

Go Standard Library Html/template
Golang Go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-03-16T15:21:14.465Z

Reserved: 2026-02-17T19:57:28.435Z

Link: CVE-2026-27142

cve-icon Vulnrichment

Updated: 2026-03-10T13:38:17.936Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T22:16:01.177

Modified: 2026-04-21T14:30:01.380

Link: CVE-2026-27142

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-06T21:28:14Z

Links: CVE-2026-27142 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:45:16Z

Weaknesses