CVE-2026-25681
published 2026-05-22CVE-2026-25681: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.18%
7.6th percentile
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Affected
480 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | 3scale-operator-bundle | — | — |
| 3scale-amp2 | 3scale-rhel7-operator | — | — |
| 3scale-amp2 | 3scale-rhel9-operator | — | — |
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| advanced-cluster-security | rhacs-rhel8-operator | — | — |
| advanced-cluster-security | rhacs-roxctl-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-slim-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-v4-rhel8 | — | — |
| ansible-automation-platform-26 | receptor-rhel9 | — | — |
| assisted | agent-preinstall-image-builder-rhel9 | — | — |
| cert-manager | cert-manager-istio-csr-rhel9 | — | — |
| cert-manager | cert-manager-trust-manager-rhel9 | — | — |
| cert-manager | jetstack-cert-manager-acmesolver-rhel9 | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| cnv-tech-preview | multus-cni | — | — |
| compliance | openshift-compliance-must-gather-rhel8 | — | — |
| compliance | openshift-compliance-openscap-rhel8 | — | — |
| compliance | openshift-compliance-operator-bundle | — | — |
| compliance | openshift-compliance-rhel8-operator | — | — |
| compliance | openshift-selinuxd-rhel10 | — | — |
| compliance | openshift-selinuxd-rhel8 | — | — |
| compliance | openshift-selinuxd-rhel9 | — | — |
| container-native-virtualization | hyperconverged-cluster-operator-rhel9 | — | — |
| container-native-virtualization | hyperconverged-cluster-webhook-rhel9 | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvelistv5v3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting
vendor_redhat·2026-05-22·CVSS 6.1
CVE-2026-25681 [MEDIUM] CWE-79 golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting
golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
A flaw was found in golang.org/x/net/html. A remote attacker could exploit this vulnerability by providing specially crafted HTML. When this arbitrary HTML is parsed and rendered, it can result in an unexpected HTML tree, bypassing input sanitization. This can be leveraged to execute Cross-Site Scripting (XSS) attacks, potentially leading to arbitrary code execution in applications that use the affected component.
Statement: This Important vulnerability in `golang.org/x/net/html` cou
GHSA
GHSA-w9p8-pvxh-rxpj: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree
ghsa_unreviewed·2026-05-26
CVE-2026-25681 [MEDIUM] GHSA-w9p8-pvxh-rxpj: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
CVEList
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
cvelistv5·2026-05-22·CVSS 6.1
CVE-2026-25681 [MEDIUM] Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
VulDB
x-net up to 0.54.x on Go cross site scripting
vuldb·2026-05-22
CVE-2026-25681 [LOW] x-net up to 0.54.x on Go cross site scripting
A vulnerability categorized as problematic has been discovered in x-net up to 0.54.x on Go. Affected by this issue is some unknown functionality. Executing a manipulation can lead to cross site scripting.
This vulnerability is tracked as CVE-2026-25681. The attack can be launched remotely. No exploit exists.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-25681 containerd: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 containerd: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 containerd: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 helm: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 helm: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 helm: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 prometheus: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 prometheus: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 prometheus: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 zabbix: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 zabbix: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 zabbix: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 golang-x-tools: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 golang-x-tools: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 golang-x-tools: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 nuclei: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 nuclei: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 nuclei: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 glow: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 glow: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 glow: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 forgejo: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 forgejo: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 forgejo: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 golang-github-acme-lego: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 golang-github-acme-lego: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 golang-github-acme-lego: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 k9s: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 k9s: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 k9s: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 grafana: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 grafana: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 grafana: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 migrate: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 migrate: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 migrate: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 ollama: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 ollama: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 ollama: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 kubernetes1.31: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 kubernetes1.31: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 kubernetes1.31: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 openbao: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 openbao: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 openbao: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 docker-buildx: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 docker-buildx: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 docker-buildx: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-o1.34: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-o1.34: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-o1.34: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 helm3: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 helm3: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 helm3: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-o1.33: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-o1.33: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-o1.33: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-tools1.35: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-tools1.35: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-tools1.35: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 matterbridge: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 matterbridge: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 matterbridge: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 dnsx: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 dnsx: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 dnsx: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 headscale: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 headscale: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 headscale: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 chezmoi: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 chezmoi: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 chezmoi: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 helm3: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 helm3: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 helm3: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 chezmoi: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 chezmoi: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 chezmoi: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 ffuf: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 ffuf: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 ffuf: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 kubernetes1.36: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 kubernetes1.36: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 kubernetes1.36: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 anubis: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 anubis: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 anubis: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-tools1.30: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-tools1.30: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-tools1.30: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 kubernetes1.32: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 kubernetes1.32: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 kubernetes1.32: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 trivy: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 trivy: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 trivy: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 kubernetes1.34: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 kubernetes1.34: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 kubernetes1.34: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-o: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-o: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-o: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-tools1.31: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-tools1.31: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-tools1.31: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 containerd: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 containerd: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 containerd: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 xq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 xq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 xq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 podman: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 podman: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 podman: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 golang-github-projectdiscovery-chaos-client: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 golang-github-projectdiscovery-chaos-client: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 golang-github-projectdiscovery-chaos-client: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 prometheus: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 prometheus: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 prometheus: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-tools1.32: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-tools1.32: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-tools1.32: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-tools1.33: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-tools1.33: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-tools1.33: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 kubernetes1.30: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 kubernetes1.30: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 kubernetes1.30: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 gopls: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 gopls: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 gopls: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 glow: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 glow: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 glow: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 opentofu: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 opentofu: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 opentofu: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-tools: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-tools: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-tools: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 subfinder: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 subfinder: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 subfinder: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 vhs: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 vhs: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 vhs: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 rclone: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 rclone: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 rclone: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 golang-github-kyokomi-emoji: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 golang-github-kyokomi-emoji: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 golang-github-kyokomi-emoji: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 golang-github-deepmap-oapi-codegen: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 golang-github-deepmap-oapi-codegen: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 golang-github-deepmap-oapi-codegen: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-o1.31: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-o1.31: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-o1.31: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 golang-github-projectdiscovery-mapcidr: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 golang-github-projectdiscovery-mapcidr: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 golang-github-projectdiscovery-mapcidr: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 xq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 xq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 xq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 gum: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 gum: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 gum: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 exercism: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 exercism: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 exercism: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 gum: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 gum: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 gum: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-tools1.36: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-tools1.36: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-tools1.36: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 caddy: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 caddy: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 caddy: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 kubernetes1.35: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 kubernetes1.35: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 kubernetes1.35: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 goss: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 goss: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 goss: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 yq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 yq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 yq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-o1.32: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-o1.32: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-o1.32: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-tools1.34: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-tools1.34: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-tools1.34: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 nuclei: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 nuclei: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 nuclei: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 yq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 yq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 yq: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 golang-github-microcosm-cc-bluemonday: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 golang-github-microcosm-cc-bluemonday: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 golang-github-microcosm-cc-bluemonday: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 zabbix: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 zabbix: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 zabbix: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 gvisor-tap-vsock: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 gvisor-tap-vsock: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 gvisor-tap-vsock: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 zabbix7.0: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 zabbix7.0: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 zabbix7.0: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 openbao: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 openbao: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 openbao: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 inspektor-gadget: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 inspektor-gadget: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 inspektor-gadget: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 d2: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 d2: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 d2: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 osbuild-composer: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 osbuild-composer: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 osbuild-composer: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 receptor: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 receptor: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 receptor: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 hugo: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 hugo: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 hugo: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 golang-x-net: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 golang-x-net: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 golang-x-net: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 matterbridge: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 matterbridge: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 matterbridge: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 netdata: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 netdata: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 netdata: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 golang-x-tools: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 golang-x-tools: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 golang-x-tools: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-o1.30: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-o1.30: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-o1.30: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 cri-o1.35: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 cri-o1.35: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 cri-o1.35: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 gh: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 gh: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 gh: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 golang-x-net: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 golang-x-net: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 golang-x-net: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 caddy: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 caddy: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 caddy: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 asnmap: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 asnmap: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 asnmap: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 zabbix6.0: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 zabbix6.0: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 zabbix6.0: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 complyctl: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 complyctl: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 complyctl: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 image-builder: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 image-builder: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 image-builder: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 trivy: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 trivy: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 trivy: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 forgejo: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 forgejo: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 forgejo: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 gh: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 gh: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 gh: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 rclone: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 rclone: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
CVE-2026-25681 rclone: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 kubernetes1.33: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
bugzilla·2026-06-30·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 kubernetes1.33: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
CVE-2026-25681 kubernetes1.33: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-25681 golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting
bugzilla·2026-05-22·CVSS 6.1
CVE-2026-25681 [MEDIUM] CVE-2026-25681 golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting
CVE-2026-25681 golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
2026-05-22
Published