Golang.Org X Net Golang.Org X Net Html vulnerabilities
10 known vulnerabilities affecting golang.org/x_net_golang.org_x_net_html.
Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
MEDIUM10
Vulnerabilities
Page 1 of 1
CVE-2025-22872P4MEDIUMCVSS 6.5fixed in 0.38.02025-04-16
CVE-2025-22872 [MEDIUM] CVE-2025-22872: The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus cha
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM
nvd
CVE-2026-42506P4MEDIUMCVSS 6.1fixed in 0.55.02026-05-22
CVE-2026-42506 [MEDIUM] CWE-79 CVE-2026-42506: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. Th
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
cvelistv5nvd
CVE-2026-42502P4MEDIUMCVSS 6.1fixed in 0.55.02026-05-22
CVE-2026-42502 [MEDIUM] CWE-1021 CVE-2026-42502: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. Th
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
cvelistv5nvd
CVE-2026-25681P4MEDIUMCVSS 6.1fixed in 0.55.02026-05-22
CVE-2026-25681 [MEDIUM] CWE-1021 CVE-2026-25681: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. Th
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
cvelistv5nvd
CVE-2026-27136P4MEDIUMCVSS 6.1fixed in 0.55.02026-05-22
CVE-2026-27136 [MEDIUM] CWE-1021 CVE-2026-27136: Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. Th
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
cvelistv5nvd
CVE-2026-25680P4MEDIUMCVSS 6.5fixed in 0.55.02026-05-22
CVE-2026-25680 [MEDIUM] CWE-400 CVE-2026-25680: Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
cvelistv5nvd
CVE-2025-47911P4MEDIUMCVSS 5.3fixed in 0.45.02026-02-05
CVE-2025-47911 [MEDIUM] CVE-2025-47911: The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing ce
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
nvd
CVE-2025-58190P4MEDIUMCVSS 5.3fixed in 0.45.02026-02-05
CVE-2025-58190 [MEDIUM] CWE-835 CVE-2025-58190: The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certai
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
nvd
CVE-2024-45338P4MEDIUMCVSS 5.3fixed in 0.33.02024-12-18
CVE-2024-45338 [MEDIUM] CWE-1333 CVE-2024-45338: An attacker can craft an input to the Parse functions that would be processed non-linearly with resp
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
nvd
CVE-2023-3978P4MEDIUMCVSS 6.1fixed in 0.13.02023-08-02
CVE-2023-3978 [MEDIUM] CWE-79 CVE-2023-3978: Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should b
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
nvd