CVE-2026-42506
published 2026-05-22CVE-2026-42506: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.19%
8.6th percentile
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Affected
550 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | 3scale-operator-bundle | — | — |
| 3scale-amp2 | 3scale-rhel7-operator | — | — |
| 3scale-amp2 | 3scale-rhel9-operator | — | — |
| advanced-cluster-security | rhacs-main-rhel9 | — | — |
| advanced-cluster-security | rhacs-operator-bundle | — | — |
| advanced-cluster-security | rhacs-rhel8-operator | — | — |
| advanced-cluster-security | rhacs-rhel9-operator | — | — |
| advanced-cluster-security | rhacs-roxctl-rhel9 | — | — |
| advanced-cluster-security | rhacs-scanner-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-rhel9 | — | — |
| advanced-cluster-security | rhacs-scanner-slim-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-slim-rhel9 | — | — |
| advanced-cluster-security | rhacs-scanner-v4-rhel8 | — | — |
| advanced-cluster-security | rhacs-scanner-v4-rhel9 | — | — |
| ansible-automation-platform-26 | receptor-rhel9 | — | — |
| ansible-automation-platform-27 | receptor-rhel9 | — | — |
| assisted | agent-preinstall-image-builder-rhel9 | — | — |
| cert-manager | cert-manager-istio-csr-rhel9 | — | — |
| cert-manager | cert-manager-trust-manager-rhel9 | — | — |
| cert-manager | jetstack-cert-manager-acmesolver-rhel9 | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| cnv-tech-preview | multus-cni | — | — |
| compliance | openshift-compliance-must-gather-rhel8 | — | — |
| compliance | openshift-compliance-openscap-rhel8 | — | — |
| compliance | openshift-compliance-operator-bundle | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvelistv5v3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cg87-vwwh-xvgj: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree
ghsa_unreviewed·2026-05-26
CVE-2026-42506 [MEDIUM] GHSA-cg87-vwwh-xvgj: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
CVEList
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
cvelistv5·2026-05-22·CVSS 6.1
CVE-2026-42506 [MEDIUM] Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
VulDB
x-net up to 0.54.x on Go cross site scripting
vuldb·2026-05-22
CVE-2026-42506 [LOW] x-net up to 0.54.x on Go cross site scripting
A vulnerability marked as problematic has been reported in x-net up to 0.54.x on Go. This issue affects some unknown processing. This manipulation causes cross site scripting.
This vulnerability is registered as CVE-2026-42506. Remote exploitation of the attack is possible. No exploit is available.
It is suggested to upgrade the affected component.
Red Hat
golang.org/x/net/html: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing
vendor_redhat·2026-05-22·CVSS 6.1
CVE-2026-42506 [MEDIUM] CWE-79 golang.org/x/net/html: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing
golang.org/x/net/html: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
A flaw was found in golang.org/x/net/html. When parsing arbitrary HTML that is subsequently rendered, an unexpected HTML tree can be generated. A remote attacker could leverage this vulnerability to execute Cross-Site Scripting (XSS) attacks in applications that attempt to sanitize input HTML before rendering, potentially leading to unauthorized actions or information disclosure.
Mitigation: Update affected Go applications to use golang.org/x/net version 0.55.0 or later. As a wor
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-42506 ollama: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 ollama: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 ollama: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 vhs: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 vhs: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 vhs: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 golang-x-net: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 golang-x-net: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 golang-x-net: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 gum: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 gum: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 gum: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 golang-x-tools: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [epel-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 golang-x-tools: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [epel-all]
CVE-2026-42506 golang-x-tools: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 d2: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 d2: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 d2: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 golang-x-net: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [epel-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 golang-x-net: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [epel-all]
CVE-2026-42506 golang-x-net: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 golang-github-projectdiscovery-chaos-client: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 golang-github-projectdiscovery-chaos-client: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 golang-github-projectdiscovery-chaos-client: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 inspektor-gadget: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 inspektor-gadget: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 inspektor-gadget: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 gvisor-tap-vsock: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 gvisor-tap-vsock: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 gvisor-tap-vsock: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 complyctl: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 complyctl: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 complyctl: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 headscale: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 headscale: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 headscale: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 gopls: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 gopls: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 gopls: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 docker-buildx: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 docker-buildx: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 docker-buildx: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 golang-x-tools: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 golang-x-tools: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 golang-x-tools: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 trivy: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [epel-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 trivy: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [epel-all]
CVE-2026-42506 trivy: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 goss: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 goss: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 goss: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 k9s: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 k9s: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
CVE-2026-42506 k9s: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 gum: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [epel-all]
bugzilla·2026-06-29·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 gum: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [epel-all]
CVE-2026-42506 gum: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Bugzilla
CVE-2026-42506 golang.org/x/net/html: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing
bugzilla·2026-05-22·CVSS 6.1
CVE-2026-42506 [MEDIUM] CVE-2026-42506 golang.org/x/net/html: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing
CVE-2026-42506 golang.org/x/net/html: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
2026-05-22
Published