CVE-2023-3978
published 2023-08-02CVE-2023-3978: Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.84%
53.3th percentile
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | lxd | >= 0 < 2.0.11-0ubuntu1~16.04.4+esm2 | 2.0.11-0ubuntu1~16.04.4+esm2 |
| canonical | lxd | >= 0 < 3.0.3-0ubuntu1~18.04.2+esm2 | 3.0.3-0ubuntu1~18.04.2+esm2 |
| debian | golang-golang-x-net | < golang-golang-x-net 1:0.14.0-1 (forky) | golang-golang-x-net 1:0.14.0-1 (forky) |
| golang.org | x_net | >= 0 < 0.13.0 | 0.13.0 |
| golang.org | x_net_golang.org_x_net_html | < 0.13.0 | 0.13.0 |
| golang | networking | < 0.13.0 | 0.13.0 |
| msrc | azl3_application-gateway-kubernetes-ingress_1.7.2-3 | — | — |
| msrc | azl3_application-gateway-kubernetes-ingress_1.7.7-1 | — | — |
| msrc | azl3_cert-manager_1.11.2-8 | — | — |
| msrc | azl3_cert-manager_1.12.12-1 | — | — |
| msrc | azl3_cloud-provider-kubevirt_0.5.1-1 | — | — |
| msrc | azl3_containerized-data-importer_1.57.0-12 | — | — |
| msrc | azl3_containerized-data-importer_1.57.0-14 | — | — |
| msrc | azl3_kubevirt_0.59.0-14 | — | — |
| msrc | azl3_kubevirt_1.2.0-1 | — | — |
| msrc | azl3_multus_4.0.2-2 | — | — |
| msrc | azl3_multus_4.0.2-5 | — | — |
| msrc | azl3_prometheus-adapter_0.11.2-1 | — | — |
| msrc | azl3_prometheus-adapter_0.12.0-1 | — | — |
| msrc | azl3_telegraf_1.27.3-4 | — | — |
| msrc | azl3_telegraf_1.29.4-1 | — | — |
| msrc | azl3_vitess_17.0.2-1 | — | — |
| msrc | azl3_vitess_19.0.4-2 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian6.1MEDIUM
vendor_msrc6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
adsys, juju-core, lxd vulnerabilities
osv·2026-04-07·CVSS 7.5
[HIGH] adsys, juju-core, lxd vulnerabilities
adsys, juju-core, lxd vulnerabilities
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in LXD, ADSys, and Juju Core.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
OSV
golang-golang-x-net-dev vulnerabilities
osv·2026-03-31·CVSS 7.5
[HIGH] golang-golang-x-net-dev vulnerabilities
golang-golang-x-net-dev vulnerabilities
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in golang-golang-x-net-dev.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
OSV
golang-golang-x-net vulnerabilities
osv·2026-03-12·CVSS 7.5
CVE-2022-27664 [HIGH] golang-golang-x-net vulnerabilities
golang-golang-x-net vulnerabilities
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
Mohammad Thoriq Aziz discovered that Go Networking did not properly
sanitize some text nodes. An attacker could possibly use this to execute
arbitrary code. This issue only a
GHSA
Improper rendering of text nodes in golang.org/x/net/html
ghsa·2023-08-02
CVE-2023-3978 [MEDIUM] CWE-79 Improper rendering of text nodes in golang.org/x/net/html
Improper rendering of text nodes in golang.org/x/net/html
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
OSV
Improper rendering of text nodes in golang.org/x/net/html
osv·2023-08-02
CVE-2023-3978 [MEDIUM] Improper rendering of text nodes in golang.org/x/net/html
Improper rendering of text nodes in golang.org/x/net/html
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
OSV
CVE-2023-3978: Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be
osv·2023-08-02·CVSS 6.1
CVE-2023-3978 [MEDIUM] CVE-2023-3978: Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
Ubuntu
ADSys, Juju Core, LXD vulnerabilities
vendor_ubuntu·2026-04-07·CVSS 7.5
CVE-2023-3978 [HIGH] ADSys, Juju Core, LXD vulnerabilities
Title: ADSys, Juju Core, LXD vulnerabilities
Summary: Several security issues were fixed in ADSys, Juju Core, LXD
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in LXD, ADSys, and Juju Core.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a de
Ubuntu
Go Networking vulnerabilities
vendor_ubuntu·2026-03-31·CVSS 7.5
CVE-2025-47911 [HIGH] Go Networking vulnerabilities
Title: Go Networking vulnerabilities
Summary: Several security issues were fixed in Go Networking
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in golang-golang-x-net-dev.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. T
Ubuntu
Go Networking vulnerabilities
vendor_ubuntu·2026-03-12·CVSS 7.5
CVE-2022-27664 [HIGH] Go Networking vulnerabilities
Title: Go Networking vulnerabilities
Summary: Several security issues were fixed in Go Networking.
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-41723)
Mohammad Thoriq Aziz discovered that Go Networking did not properly
sanitize some text nodes. An attacker coul
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2018-6594 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2023-38546 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Microsoft
Improper rendering of text nodes in golang.org/x/net/html
vendor_msrc·2023-08-08·CVSS 6.1
CVE-2023-3978 [MEDIUM] CWE-79 Improper rendering of text nodes in golang.org/x/net/html
Improper rendering of text nodes in golang.org/x/net/html
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.mic
Red Hat
golang.org/x/net/html: Cross site scripting
vendor_redhat·2023-08-02·CVSS 6.1
CVE-2023-3978 [MEDIUM] CWE-79 golang.org/x/net/html: Cross site scripting
golang.org/x/net/html: Cross site scripting
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
A flaw was found in the Golang HTML package where it is vulnerable to Cross-site scripting caused by the improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's web browser within the security context of the hosting website once the URL is clicked. The flaw allows an attacker to steal the victim's cookie-based authentication credentials.
Package: jetstack-cert-manager-container (cert-manager Operator for Red Hat OpenShift) - Not affected
Package: openshift-logging/cluster-logging-rhel9-ope
Debian
CVE-2023-3978: golang-golang-x-net - Text nodes not in the HTML namespace are incorrectly literally rendered, causing...
vendor_debian·2023·CVSS 6.1
CVE-2023-3978 [MEDIUM] CVE-2023-3978: golang-golang-x-net - Text nodes not in the HTML namespace are incorrectly literally rendered, causing...
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 1:0.14.0-1)
sid: resolved (fixed in 1:0.14.0-1)
trixie: resolved (fixed in 1:0.14.0-1)
No detection rules found.
No public exploits indexed.
2023-08-02
Published