CVE-2026-25680
published 2026-05-22CVE-2026-25680: Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
PriorityP427medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
0.25%
16.0th percentile
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Affected
480 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | 3scale-operator-bundle | — | — |
| 3scale-amp2 | 3scale-rhel7-operator | — | — |
| 3scale-amp2 | 3scale-rhel9-operator | — | — |
| advanced-cluster-security | rhacs-main-rhel9 | — | — |
| advanced-cluster-security | rhacs-operator-bundle | — | — |
| advanced-cluster-security | rhacs-rhel9-operator | — | — |
| advanced-cluster-security | rhacs-roxctl-rhel9 | — | — |
| advanced-cluster-security | rhacs-scanner-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-rhel9 | — | — |
| advanced-cluster-security | rhacs-scanner-slim-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-slim-rhel9 | — | — |
| advanced-cluster-security | rhacs-scanner-v4-rhel9 | — | — |
| ansible-automation-platform-26 | receptor-rhel9 | — | — |
| ansible-automation-platform-27 | receptor-rhel9 | — | — |
| assisted | agent-preinstall-image-builder-rhel9 | — | — |
| cert-manager | cert-manager-istio-csr-rhel9 | — | — |
| cert-manager | cert-manager-trust-manager-rhel9 | — | — |
| cert-manager | jetstack-cert-manager-acmesolver-rhel9 | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| compliance | openshift-compliance-operator-bundle | — | — |
| compliance | openshift-file-integrity-operator-bundle | — | — |
| compliance | openshift-file-integrity-rhel8-operator | — | — |
| compliance | openshift-selinuxd-rhel10 | — | — |
| compliance | openshift-selinuxd-rhel8 | — | — |
| compliance | openshift-selinuxd-rhel9 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
cvelistv5v3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5cv4-jp36-h3mw: Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service
ghsa_unreviewed·2026-05-26
CVE-2026-25680 [MEDIUM] GHSA-5cv4-jp36-h3mw: Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
GHSA
Go Net HTML parser is vulnerable to denial of service
ghsa·2026-05-26
CVE-2026-25680 [MEDIUM] CWE-400 Go Net HTML parser is vulnerable to denial of service
Go Net HTML parser is vulnerable to denial of service
In Go Net (`golang.org/x/net`) before verion 0.55.0, parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
VulDB
x-net up to 0.54.x on Go algorithmic complexity
vuldb·2026-05-22
CVE-2026-25680 [LOW] x-net up to 0.54.x on Go algorithmic complexity
A vulnerability identified as problematic has been detected in x-net up to 0.54.x on Go. Impacted is an unknown function. This manipulation causes inefficient algorithmic complexity.
This vulnerability is tracked as CVE-2026-25680. The attack is possible to be carried out remotely. No exploit exists.
You should upgrade the affected component.
CVEList
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
cvelistv5·2026-05-22·CVSS 6.5
CVE-2026-25680 [MEDIUM] Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Red Hat
golang.org/x/net/html: golang.org/x/net/html: Denial of Service due to excessive HTML parsing
vendor_redhat·2026-05-22·CVSS 6.5
CVE-2026-25680 [MEDIUM] CWE-1050 golang.org/x/net/html: golang.org/x/net/html: Denial of Service due to excessive HTML parsing
golang.org/x/net/html: golang.org/x/net/html: Denial of Service due to excessive HTML parsing
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
A flaw was found in golang.org/x/net/html. A remote attacker could provide specially crafted HTML, which, when parsed by the affected component, would consume excessive CPU resources. This could lead to a Denial of Service (DoS) condition, making the system unavailable to legitimate users.
Statement: Red Hat rates this issue as Moderate with RH CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). A flaw was found in golang.org/x/net/html where parsing crafted HTML can consume excessive CPU time, leading to denial of service. Exploitation requires user interaction (a victim application parsing attac
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-25680 goss: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 goss: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 goss: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 golang-x-net: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 golang-x-net: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 golang-x-net: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 complyctl: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 complyctl: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 complyctl: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 headscale: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 headscale: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 headscale: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 ollama: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 ollama: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 ollama: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 vhs: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 vhs: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 vhs: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 gopls: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 gopls: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 gopls: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 d2: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 d2: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 d2: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 golang-x-tools: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 golang-x-tools: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 golang-x-tools: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 gum: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [epel-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 gum: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [epel-all]
CVE-2026-25680 gum: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 golang-x-net: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [epel-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 golang-x-net: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [epel-all]
CVE-2026-25680 golang-x-net: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 k9s: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 k9s: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 k9s: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 golang-github-projectdiscovery-chaos-client: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 golang-github-projectdiscovery-chaos-client: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 golang-github-projectdiscovery-chaos-client: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 docker-buildx: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 docker-buildx: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 docker-buildx: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 golang-x-tools: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [epel-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 golang-x-tools: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [epel-all]
CVE-2026-25680 golang-x-tools: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 gum: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 gum: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 gum: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 trivy: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [epel-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 trivy: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [epel-all]
CVE-2026-25680 trivy: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 gvisor-tap-vsock: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 gvisor-tap-vsock: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 gvisor-tap-vsock: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 inspektor-gadget: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
bugzilla·2026-06-30·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 inspektor-gadget: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
CVE-2026-25680 inspektor-gadget: golang.org/x/net/html: Denial of Service due to excessive HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Bugzilla
CVE-2026-25680 golang.org/x/net/html: golang.org/x/net/html: Denial of Service due to excessive HTML parsing
bugzilla·2026-05-22·CVSS 6.5
CVE-2026-25680 [MEDIUM] CVE-2026-25680 golang.org/x/net/html: golang.org/x/net/html: Denial of Service due to excessive HTML parsing
CVE-2026-25680 golang.org/x/net/html: golang.org/x/net/html: Denial of Service due to excessive HTML parsing
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
2026-05-22
Published