Unrated severityNVD Advisory· Published May 22, 2026· Updated May 22, 2026

Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

CVE-2026-42506

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

go.dev/cl/781700mitre
go.dev/issue/79571mitre
groups.google.com/g/golang-announce/c/iI-mYSI0lu8mitre
pkg.go.dev/vuln/GO-2026-5025mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000