Unrated severityNVD Advisory· Published May 22, 2026· Updated May 22, 2026

Invoking duplicate attributes can cause XSS in golang.org/x/net/html

CVE-2026-27136

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

go.dev/cl/781685mitre
go.dev/issue/79575mitre
groups.google.com/g/golang-announce/c/iI-mYSI0lu8mitre
pkg.go.dev/vuln/GO-2026-5030mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000