CVE-2026-42554
Description
Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply." This vulnerability is fixed in 2.52.12 and 3.1.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gofiber/fiber/v3Go | < 3.2.0 | 3.2.0 |
github.com/gofiber/fiber/v2Go | < 2.52.13 | 2.52.13 |
Affected products
9- osv-coords7 versionspkg:apk/chainguard/gatuspkg:apk/chainguard/gatus-fipspkg:apk/chainguard/versitygwpkg:apk/chainguard/versitygw-fipspkg:apk/wolfi/gatuspkg:golang/github.com/gofiber/fiber/v2pkg:golang/github.com/gofiber/fiber/v3
< 5.35.0-r11+ 6 more
- (no CPE)range: < 5.35.0-r11
- (no CPE)range: < 5.35.0-r9
- (no CPE)range: < 1.4.1-r2
- (no CPE)range: < 1.4.1-r3
- (no CPE)range: < 5.35.0-r11
- (no CPE)range: < 2.52.13
- (no CPE)range: < 3.2.0
Patches
Vulnerability mechanics
References
3- github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjvnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-qjv7-627w-8qjvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42554ghsaADVISORY
News mentions
0No linked articles in our index yet.