CVE-2023-3978 — Cross-site Scripting in X NET Golang.org X NET Html

CWE-79 — Cross-site Scripting11 documents8 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 73.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang.org X NET Golang.org X NET Html Golang.org X NET Golang Networking

Timeline

PublishedAug 2

Latest updateApr 7

Description

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5golang.org/x_net_golang.org_x_net_html< 0.13.0

▶Gogolang.org/x_net< 0.13.0

▶NVDgolang/networking< 0.13.0

Patches

Patch: go.dev ↗Patch: go.dev ↗Patch: pkg.go.dev ↗

🔴Vulnerability Details

GHSA

Improper rendering of text nodes in golang.org/x/net/html↗2023-08-02

▶

OSV

Improper rendering of text nodes in golang.org/x/net/html↗2023-08-02

▶

CVEList

Improper rendering of text nodes in golang.org/x/net/html↗2023-08-02

▶

OSV

CVE-2023-3978: Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be↗2023-08-02

▶

📋Vendor Advisories

Ubuntu

ADSys, Juju Core, LXD vulnerabilities↗2026-04-07

▶

Ubuntu

Go Networking vulnerabilities↗2026-03-31

▶

Ubuntu

Go Networking vulnerabilities↗2026-03-12

▶

Microsoft

Improper rendering of text nodes in golang.org/x/net/html↗2023-08-08

▶

Red Hat

golang.org/x/net/html: Cross site scripting↗2023-08-02

▶