Invoking incorrect handling of HTML elements in foreign content in...

6.1 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Basic Information

ID CVE-2026-42502

Source Go

Published May 22, 2026 at 15:01

Modified May 22, 2026 at 17:17

Affected Product

Vendor golang.org/x/net

Product golang.org/x/net/html

Affected Versions golang.org/x/net golang.org/x/net/html 0

References

{
    "lastseen": "",
    "description": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.",
    "published": "2026-05-22T15:01:21.649Z",
    "modified": "2026-05-22T17:17:20.637Z",
    "type": "cve",
    "title": "Invoking  incorrect handling of HTML elements in foreign content in golang.org/x/net/html",
    "source": "Go",
    "references": "https://go.dev/issue/79572\nhttps://groups.google.com/g/golang-announce/c/iI-mYSI0lu8\nhttps://go.dev/cl/781701\nhttps://pkg.go.dev/vuln/GO-2026-5027",
    "id": "CVE-2026-42502",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "golang.org/x/net golang.org/x/net/html 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "golang.org/x/net/html",
    "version": "0",
    "vendor": "golang.org/x/net",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html_CVE-2026-42502

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply