CVE Field Guide
About Us
CVE-2026-25680
PUBLISHED
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
Assigner:
Go
Reserved:
05.02.2026
Published:
22.05.2026
Updated:
22.05.2026
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Product Status
Vendor
golang.org/x/net
Product
golang.org/x/net/html
Versions
Default:
unaffected
affected from 0 to 0.55.0 (excl.)
Credits
IPC Labs
References
https://go.dev/cl/781702
https://go.dev/issue/79573
https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
https://pkg.go.dev/vuln/GO-2026-5028
Problem Types
CWE-407: Inefficient Algorithmic Complexity