Denial of Service Vulnerability in Go Programming Language by Google
CVE-2026-25680

6.5MEDIUM

Key Information:

Vendor: Golang.org/x/net
Status: Golang.org/x/net/html
Vendor: CVE Published:; 22 May 2026

🔔 Create Golang.org/x/net Vulnerability Alert

What is CVE-2026-25680?

An issue has been identified within the Go programming language where the parsing of arbitrary HTML can lead to excessive CPU usage. This spike in resource consumption can result in a denial of service, severely impacting application performance and potentially compromising the overall system stability. Developers using affected versions are encouraged to assess their implementations and apply necessary mitigations to avoid disruptions.

Affected Version(s)

golang.org/x/net/html 0 < 0.55.0

References

https://go.dev/cl/781702

https://go.dev/issue/79573

https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
Feb 5, 2026

Credit

IPC Labs

CVE-2026-25680 Data

JSON