CVE-2026-27142

MEDIUM severity · CVSS 6.1 · Cross-site scripting (XSS)

6.1CVSS MEDIUM

Summary

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionRequired

Confidentiality impactLow

Integrity impactLow

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products we track (1)

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://pkg.go.dev/vuln/GO-2026-4603Advisory
https://go.dev/cl/752081
https://go.dev/issue/77954
https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk