CVE-2026-42506 PUBLISHED

Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

Assigner: Go
Reserved: 28.04.2026 Published: 22.05.2026 Updated: 22.05.2026

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Product Status

Vendor	golang.org/x/net
Product	golang.org/x/net/html
Versions	Default: unaffected affected from 0 to 0.55.0 (excl.)

Credits

ensy

References

https://go.dev/issue/79571
https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
https://go.dev/cl/781700
https://pkg.go.dev/vuln/GO-2026-5025

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')