Medium severity6.1NVD Advisory· Published Mar 6, 2026· Updated Apr 21, 2026

CVE-2026-27142

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected products

Golang/Go2 versions
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*range: <1.25.8
- cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

pkg.go.dev/vuln/GO-2026-4603nvdVendor Advisory
go.dev/cl/752081nvdMailing List
go.dev/issue/77954nvdIssue Tracking
groups.google.com/g/golang-announce/c/EdhZqrQ98hknvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000