Vulnerability Report: GO-2026-5030

CVE-2026-27136
Affects: golang.org/x/net
Published: May 22, 2026

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected Packages

Path

Versions

Symbols
golang.org/x/net/html

before v0.55.0

Aliases

CVE-2026-27136

References

https://go.dev/issue/79575
https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
https://go.dev/cl/781685
https://vuln.go.dev/ID/GO-2026-5030.json

Credits

ensy

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL