Description
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.
Published: 2026-05-07
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the Go standard library’s html/template package, which fails to escape URLs correctly when the URL contains ASCII whitespace around the equals sign inside a <meta> tag’s content attribute. This escape failure permits an attacker to inject malicious script, resulting in arbitrary JavaScript execution within the victim’s browser. The weakness aligns with CWE‑79, Cross‑Site Scripting.

Affected Systems

The affected product is the Go standard library (html/template). Any Go application that renders HTML using this package and inserts user‑controlled data into a <meta> tag’s content attribute is potentially vulnerable, provided it is running a Go release prior to the fix. No explicit version ranges are listed, but the patch was included in later standard library releases following the issue closure.

Risk and Exploitability

The likely attack vector is client‑side: an attacker supplies or manipulates data that ends up in a template that generates a <meta> tag, and then causes an end user’s browser to load the crafted page. The CVSS score of 6.1 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. This vulnerability is not listed in CISA’s KEV catalog, but because Go is widely used for web services, any unpatched application could expose its users to malicious script execution.

Generated by OpenCVE AI on May 8, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update your Go runtime to a version that includes the html/template fix, ensuring that the escape logic is corrected.
  • Audit all templates that include <meta> tags and remove or properly encode any user‑supplied data placed in the content attribute to eliminate the whitespace‑based escape bypass.
  • If dynamic data must reside in a <meta> content attribute, use Go’s built‑in URL‑encoding helpers that reject whitespace around the equals sign, or manually escape the content using a safe encoding routine.
  • Run static analysis or linters such as gosec across the codebase to flag potential XSS sinks and mitigate them before deployment.

Generated by OpenCVE AI on May 8, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 08 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library html/template
Vendors & Products Go Standard Library
Go Standard Library html/template

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.
Title Bypass of meta content URL escaping causes XSS in html/template
References

Subscriptions

Go Standard Library Html/template
Golang Go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-08T14:05:55.152Z

Reserved: 2026-04-07T18:13:03.527Z

Link: CVE-2026-39823

cve-icon Vulnrichment

Updated: 2026-05-08T14:05:50.846Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T20:16:43.290

Modified: 2026-06-17T10:42:38.473

Link: CVE-2026-39823

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')