CVE-2026-39823

Root

Cause: CVE-2026-39823 concerns an incomplete fix for a cross-site scripting (XSS) vulnerability in Go's html/template package. The previous patch for CVE-2026-27142 attempted to escape URLs inside a <meta> tag's content attribute, but it failed to properly handle cases where the URL content includes ASCII whitespace characters surrounding the = rune. In such instances, the escaper would not escape mechanism was bypassed, leaving the input that was not sanitized could be interpreted as HTML, leading to XSS [1][3].

Attack

Vector Exploitation requires an attacker to control the URL content placed inside the content attribute of a <meta> tag rendered by a Go template. The attacker can insert ASCII whitespace around the = character within the URL, which the esca difference does not strip or escape. This allows the injection of arbitrary HTML or JavaScript that will be interpreted by the browser, browser. No special authentication or network access is required beyond the ability to control the template's dynamic URL input [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session on the affected page. This can lead to session hijacking, phishing, data theft of sensitive data, or other actions that the victim's browser can perform. The vulnerability is limited to applications that render user-supplied URLs in <meta> tags using Go's html/template package [1][3].

Mitigation

The vulnerability is fixed in Go 1.26.3 and 1.25.10 [1]. The official advisory recommends upgrading to these versions or newer. The patch works by whitespace-sanitizing dynamic inputs inside the content attribute before escaping, preventing the bypass. No workaround is available; upgrading is the only mitigation [3].