cbcvebase.
CVE-2026-27142
published 2026-05-07

CVE-2026-27142: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces…

PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.33%
24.5th percentile
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.

Affected

118 ranges· showing 25
VendorProductVersion rangeFixed in
3scale-amp23scale-rhel7-operator
3scale-amp23scale-rhel9-operator
advanced-cluster-securityrhacs-main-rhel8
ansible-automation-platform-26receptor-rhel9
build-of-trusteetrustee-rhel9-operator
buildah_projectbuildah
cert-managerjetstack-cert-manager-rhel9
complianceopenshift-compliance-operator-bundle
complianceopenshift-selinuxd-rhel8
confidential-compute-attestation-tech-previewtrustee-rhel9-operator
confidential-containerstrustee
container-native-virtualizationkubevirt-apiserver-proxy-rhel9
container-native-virtualizationvirt-api-rhel9
container-tools_rhel8buildah
container-tools_rhel8conmon
container-tools_rhel8containernetworking-plugins
container-tools_rhel8podman
container-tools_rhel8skopeo
container-tools_rhel8toolbox
cryostatcryostat-storage-rhel9
custom-metrics-autoscalercustom-metrics-autoscaler-rhel9
debiangolang-1.15< golang-1.25 1.25.8-1 (forky)golang-1.25 1.25.8-1 (forky)
debiangolang-1.19< golang-1.25 1.25.8-1 (forky)golang-1.25 1.25.8-1 (forky)
debiangolang-1.24< golang-1.25 1.25.8-1 (forky)golang-1.25 1.25.8-1 (forky)
debiangolang-1.25< golang-1.25 1.25.8-1 (forky)golang-1.25 1.25.8-1 (forky)

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_msrc7.5HIGH
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.