CVE-2026-27142Cross-site Scripting in Standard Library Html Template

CWE-79Cross-site Scripting9 documents8 sources
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 98.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GO Standard Library Html Template
Timeline
PublishedMar 6
Latest updateMar 10

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

CVEListV5go_standard_library/html_template1.26.0-01.26.1+1

🔴Vulnerability Details

4
GHSA
GHSA-j4j7-vw47-rhfq: Actions which insert URLs into the content attribute of HTML meta tags are not escaped2026-03-07
OSV
CVE-2026-27142: Actions which insert URLs into the content attribute of HTML meta tags are not escaped2026-03-06
OSV
URLs in meta content attribute actions are not escaped in html/template2026-03-06
CVEList
URLs in meta content attribute actions are not escaped in html/template2026-03-06

📋Vendor Advisories

3
Microsoft
URLs in meta content attribute actions are not escaped in html/template2026-03-10
Red Hat
html/template: URLs in meta content attribute actions are not escaped in html/template2026-03-06
Debian
CVE-2026-27142: golang-1.15 - Actions which insert URLs into the content attribute of HTML meta tags are not e...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27142 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-27142 — Cross-site Scripting | cvebase