CVE-2026-39823
published 2026-05-07CVE-2026-39823: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.31%
23.2th percentile
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.
Affected
98 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | 3scale-rhel7-operator | — | — |
| 3scale-amp2 | 3scale-rhel9-operator | — | — |
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform-26 | receptor-rhel9 | — | — |
| build-of-trustee | trustee-rhel9-operator | — | — |
| buildah_project | buildah | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| compliance | openshift-compliance-operator-bundle | — | — |
| compliance | openshift-selinuxd-rhel8 | — | — |
| confidential-compute-attestation-tech-preview | trustee-rhel9-operator | — | — |
| confidential-containers | trustee | — | — |
| container-native-virtualization | kubevirt-apiserver-proxy-rhel9 | — | — |
| container-native-virtualization | virt-api-rhel9 | — | — |
| container-tools_rhel8 | buildah | — | — |
| container-tools_rhel8 | conmon | — | — |
| container-tools_rhel8 | containernetworking-plugins | — | — |
| container-tools_rhel8 | podman | — | — |
| container-tools_rhel8 | skopeo | — | — |
| container-tools_rhel8 | toolbox | — | — |
| cryostat | cryostat-storage-rhel9 | — | — |
| custom-metrics-autoscaler | custom-metrics-autoscaler-rhel9 | — | — |
| devspaces | udi-rhel9 | — | — |
| devworkspace | devworkspace-rhel9-operator | — | — |
| dvo | deployment-validation-rhel8-operator | — | — |
| etcd | etcd | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
html-template up to 1.25.9/1.26.2 on Go cross site scripting (EUVD-2026-28424)
vuldb·2026-05-07·CVSS 6.1
CVE-2026-39823 [MEDIUM] html-template up to 1.25.9/1.26.2 on Go cross site scripting (EUVD-2026-28424)
A vulnerability was found in html-template up to 1.25.9/1.26.2 on Go. It has been declared as problematic. This issue affects some unknown processing. Executing a manipulation can lead to cross site scripting.
This vulnerability appears as CVE-2026-39823. The attack may be performed from remote. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
GHSA-2283-wf8c-rw8r: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute
ghsa_unreviewed·2026-05-07·CVSS 6.1
CVE-2026-39823 [MEDIUM] GHSA-2283-wf8c-rw8r: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.
Red Hat
html/template: golang: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content
vendor_redhat·2026-05-07·CVSS 6.1
CVE-2026-39823 [MEDIUM] CWE-79 html/template: golang: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content
html/template: golang: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.
A flaw was found in the `html/template` package of Go. A remote attacker could exploit this vulnerability by inserting ASCII whitespaces around the equals sign (`=`) within a URL's content attribute inside a `` tag. This improper escaping could lead to Cross-Site Scripting (XSS), allowing the attacker to execute malicious scripts in the user's browser.
Statement: Red Hat products ship the Go `html/template` package as
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-39823 gh: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content [fedora-all]
bugzilla·2026-07-01·CVSS 6.1
CVE-2026-39823 [MEDIUM] CVE-2026-39823 gh: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content [fedora-all]
CVE-2026-39823 gh: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.
Bugzilla
CVE-2026-39823 reg: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content [epel-all]
bugzilla·2026-07-01·CVSS 6.1
CVE-2026-39823 [MEDIUM] CVE-2026-39823 reg: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content [epel-all]
CVE-2026-39823 reg: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.
Bugzilla
CVE-2026-39823 gh: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content [epel-all]
bugzilla·2026-07-01·CVSS 6.1
CVE-2026-39823 [MEDIUM] CVE-2026-39823 gh: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content [epel-all]
CVE-2026-39823 gh: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.
Bugzilla
CVE-2026-39823 html/template: golang: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content
bugzilla·2026-05-07·CVSS 6.1
CVE-2026-39823 [MEDIUM] CVE-2026-39823 html/template: golang: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content
CVE-2026-39823 html/template: golang: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:22120 https://access.redhat.com/errata/RHSA-2026:22120
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:22121 https://access.redhat.com/errata/RHSA-2026:22121
---
This issue has been addressed in the following products:
Red Hat Enterp
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
2026-05-07
Published