Description
Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply." This vulnerability is fixed in 2.52.12 and 3.1.0.
Published: 2026-05-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises from a flaw in the AutoFormat content‑negotiation logic of the Go Fiber framework. When AutoFormat is invoked, Fiber examines the Accept header of the incoming request. If the request contains Accept: text/html and the application has not explicitly opted into raw HTML emission, Fiber selects the HTML rendering branch. Because the framework does not escape or encode the data passed to AutoFormat, a remote attacker can supply user‑controlled input that is rendered unescaped in the response, enabling arbitrary HTML or JavaScript injection. This results in client‑side script execution in the victim's browser, with typical XSS consequences such as session hijacking, credential theft, or defacement.

Affected Systems

Any application built with the Go Fiber web framework and using a version earlier than 2.52.12 or 3.1.0 is vulnerable. Fiber versions 2.x prior to 2.52.12 and 3.x prior to 3.1.0 contain the unprotected AutoFormat path. Any deployment that depends on these libraries and does not apply additional HTML escaping before invoking AutoFormat is at risk.

Risk and Exploitability

The CVSS base score of 5.3 represents moderate severity. No EPSS score is provided, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is a crafted HTTP request that sets the Accept header to text/html, which is a remote, network‑based attack that does not require local privileges. If the application calls AutoFormat with data influenced by the attacker and has not opted into raw HTML rendering, the conditions for exploitation are satisfied. The weakness is categorized as CWE‑79, reflecting insufficient output encoding in a content‑negotiation context.

Generated by OpenCVE AI on May 12, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Go Fiber library to version 2.52.12 or 3.1.0, where the AutoFormat handling has been corrected.
  • If an upgrade cannot be performed immediately, remove AutoFormat calls for routes that output user data or ensure all data handed to AutoFormat is properly escaped or sanitized before use.
  • Limit the Accept header handling so that only trusted responses can request the HTML branch, preventing attackers from forcing the vulnerable path.

Generated by OpenCVE AI on May 12, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qjv7-627w-8qjv Fiber vulnerable to XSS in AutoFormat Content Negotiation
History

Mon, 18 May 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 15 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Gofiber
Gofiber fiber
Vendors & Products Gofiber
Gofiber fiber

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply." This vulnerability is fixed in 2.52.12 and 3.1.0.
Title Fiber: XSS in AutoFormat Content Negotiation
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Gofiber Fiber
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:24:38.300Z

Reserved: 2026-04-28T16:56:50.191Z

Link: CVE-2026-42554

cve-icon Vulnrichment

Updated: 2026-05-15T18:24:34.549Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T23:19:48.083

Modified: 2026-05-18T16:50:44.640

Link: CVE-2026-42554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T00:15:07Z

Weaknesses