Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

INFO

Published Date :

2026-03-06T21:28:14.674Z

Last Modified :

2026-03-16T15:21:14.465Z

Source :

Go
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27142 vulnerability.

Vendors Products
Go Standard Library
  • Html/template
Golang
  • Go
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27142.

URL Resource
https://go.dev/cl/752081 cve-icon cve-icon cve-icon
https://go.dev/issue/77954 cve-icon cve-icon cve-icon
https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-27142 cve-icon
https://pkg.go.dev/vuln/GO-2026-4603 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-27142 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact