CVE-2026-42502
published 2026-05-22CVE-2026-42502: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.18%
7.6th percentile
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| golang.org | x_net_golang.org_x_net_html | < 0.55.0 | 0.55.0 |
| golang | net | < 0.55.0 | 0.55.0 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvelistv5v3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wrh2-89vg-4j9g: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree
ghsa_unreviewed·2026-05-26
CVE-2026-42502 [MEDIUM] GHSA-wrh2-89vg-4j9g: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
VulDB
x-net up to 0.54.x on Go cross site scripting
vuldb·2026-05-22
CVE-2026-42502 [LOW] x-net up to 0.54.x on Go cross site scripting
A vulnerability labeled as problematic has been found in x-net up to 0.54.x on Go. This vulnerability affects unknown code. The manipulation results in cross site scripting.
This vulnerability is cataloged as CVE-2026-42502. The attack may be launched remotely. There is no exploit available.
The affected component should be upgraded.
CVEList
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
cvelistv5·2026-05-22·CVSS 6.1
CVE-2026-42502 [MEDIUM] Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published