CVE-2026-27142

Published: Mar 6, 2026Modified: Apr 21, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected (2)

Products: Golang: Go

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.25.8
Golang Go	Version 1.26.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://go.dev/cl/752081

Source: security@golang.org

Mailing List

https://go.dev/issue/77954

Source: security@golang.org

Issue Tracking

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

Source: security@golang.org

Release Notes

https://pkg.go.dev/vuln/GO-2026-4603

Source: security@golang.org

Vendor Advisory

Timeline

No history available yet.