Description
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.
Published: 2026-05-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from an escape function that fails to properly neutralize URLs placed inside a <meta> tag’s <content> attribute when the URL contains ASCII whitespace around the equals sign. An attacker can therefore inject a malicious URL crafted to bypass the escaping mechanism, resulting in the execution of arbitrary JavaScript in a visitor’s browser. This client‑side code execution can lead to theft of session cookies, credential compromise, or execution of further malicious actions within the context of the web page.

Affected Systems

The issue resides in Go’s standard library package html/template. Any Go application that renders HTML via this package and incorporates user‑controlled input into a <meta> content attribute is potentially vulnerable. The specific vulnerable Go releases are those released before the patch that corrected the escaping logic; explicit version ranges are not provided in the CVE record.

Risk and Exploitability

The attack vector is purely client‑side: an attacker must supply or influence content that is rendered into a template. Once an end‑user loads the page, the crafted script runs with the privileges of that web application. Although the CVSS score and EPSS value are not included, the existence of a functional XSS flaw with broad exposure warrants a high severity assessment. The vulnerability is not listed in CISA’s KEV catalog, but the potential impact remains significant due to the prevalence of Go in web services.

Generated by OpenCVE AI on May 7, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Go runtime to a version that incorporates the html/template fix (any release following the remediation of the escaping bug).
  • Review all templates that generate <meta> tags and sanitize or remove any user‑supplied content from the content attribute, ensuring that no whitespace can corrupt URL escaping.
  • Replace dynamic data inserted into <meta> content with safer alternative attributes or encode the value with a dedicated URL‑encoding helper that blocks the whitespace trick.
  • Perform regular static analysis of Go codebases with tools such as gosec to detect potential XSS sinks and fix them promptly.

Generated by OpenCVE AI on May 7, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library html/template
Vendors & Products Go Standard Library
Go Standard Library html/template

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.
Title Bypass of meta content URL escaping causes XSS in html/template
References

Subscriptions

Go Standard Library Html/template
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-07T19:41:19.524Z

Reserved: 2026-04-07T18:13:03.527Z

Link: CVE-2026-39823

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T20:16:43.290

Modified: 2026-05-07T20:38:04.860

Link: CVE-2026-39823

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T23:00:07Z

Weaknesses