CVE-2026-27142
Last modified
CVE-2026-27142 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". EPSS estimates a 0.33% chance of exploitation in the next 30 days.
Description
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.25.8 |
| Golang | Go | 1.26.0 |
References
- https://go.dev/cl/752081Mailing List
- https://go.dev/issue/77954Issue Tracking
- https://pkg.go.dev/vuln/GO-2026-4603Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-27142?
How severe is CVE-2026-27142?
How do I fix CVE-2026-27142?
Are you affected by CVE-2026-27142?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST