CVE-2026-42506 | THREATINT

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

PUBLISHED Reserved 2026-04-28 | Published 2026-05-22 | Updated 2026-05-22 | Assigner Go

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status

unaffected

Any version before 0.55.0

affected

Credits

ensy

References

go.dev/issue/79571

groups.google.com/g/golang-announce/c/iI-mYSI0lu8

go.dev/cl/781700

pkg.go.dev/vuln/GO-2026-5025

cve.org (CVE-2026-42506)

nvd.nist.gov (CVE-2026-42506)

Download JSON