VYPR
Medium severity6.1GHSA Advisory· Published May 11, 2026· Updated May 18, 2026

CVE-2026-42554

CVE-2026-42554

Description

Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply." This vulnerability is fixed in 2.52.12 and 3.1.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/gofiber/fiber/v3Go
< 3.2.03.2.0
github.com/gofiber/fiber/v2Go
< 2.52.132.52.13

Affected products

9

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.