The golang.org/x/net/html package parses arbitrary HTML that is later rendered with Render. When namespaced elements in foreign content are handled incorrectly, the resulting HTML tree can be altered in an unexpected way, allowing an attacker to insert malicious payloads that execute in a victim's browser. This leads to an XSS vulnerability that can affect client‑side confidentiality, integrity, and availability by executing arbitrary JavaScript in the context of the user’s session.

Applications using the golang.org/x/net HTML parsing library, specifically golang.org/x/net/html, are vulnerable if they accept and render untrusted HTML input. The issue applies to all versions of the library that have not been updated to address this parsing flaw.

The EPSS score for this CVE is not available and it is not listed in the CISA KEV catalog, so no current exploitation data is provided. Because the vulnerability requires an application to parse and render arbitrary HTML, it is inferred that the attack vector is a user‑supplied HTML payload that reaches the Render call. In environments where this library is used to sanitize or display user content, the risk of exploitation is moderate to high pending a patch, but lack of publicly known exploits means the immediate threat level may be lower than typical XSS scenarios. The CVSS score of 6.1 indicates a moderately high impact, quantifying the potential severity of the XSS vulnerability.