Vulnerability Report: GO-2026-5029

CVE-2026-25681
Affects: golang.org/x/net
Published: May 22, 2026

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected Packages

Path

Versions

Symbols
golang.org/x/net/html

before v0.55.0

Aliases

CVE-2026-25681

References

https://go.dev/issue/79574
https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
https://go.dev/cl/781703
https://vuln.go.dev/ID/GO-2026-5029.json

Credits

ensy

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL