Unrated severityNVD Advisory· Published May 22, 2026· Updated May 22, 2026

Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

CVE-2026-42502

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

go.dev/cl/781701mitre
go.dev/issue/79572mitre
groups.google.com/g/golang-announce/c/iI-mYSI0lu8mitre
pkg.go.dev/vuln/GO-2026-5027mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000