Description
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Published: 2026-05-22
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parsing arbitrary HTML with golang.org/x/net/html that is subsequently rendered via Render can produce an unexpected DOM structure. Attackers can exploit this to inject malicious scripts into web pages that believe they have sanitized input, leading to client‑side code execution. This vulnerability allows cross‑site scripting, potentially compromising user sessions, leaking sensitive data, or performing actions on behalf of the user.

Affected Systems

The affected product is golang.org/x/net, specifically the golang.org/x/net/html package. No specific version constraints are documented in the CVE, so any application that imports this package and renders HTML using Render is potentially impacted.

Risk and Exploitability

The CVSS score is 6.1, indicating medium severity, and EPSS information is unavailable, so the exploitation probability is not quantified. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local or remote depending on how the library is used; if a web application incorporates this HTML parser to clean or render user input, an attacker with ability to supply that input could trigger XSS. Exploitation requires that the application trusts the rendered output, so steps to verify sanitization or bypass are necessary.

Generated by OpenCVE AI on May 22, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of golang.org/x/net/html that includes the fix for the foreign content parsing issue.
  • If a patch cannot be applied immediately, ensure that any HTML data processed with Render is not sent to users without additional whitelist‑based sanitization that removes script and potentially dangerous elements.
  • Implement a Content‑Security‑Policy header that blocks inline scripts and restricts where external scripts may be loaded from, reducing the impact of any residual XSS.

Generated by OpenCVE AI on May 22, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 22 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Title Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-22T17:17:20.637Z

Reserved: 2026-04-28T00:21:12.791Z

Link: CVE-2026-42502

cve-icon Vulnrichment

Updated: 2026-05-22T17:16:48.633Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T21:30:16Z

Weaknesses

No weakness.