HTML Parsing Vulnerability in Go Programming Language by Google
CVE-2026-25681

Currently unrated

Key Information:

Vendor: Golang.org/x/net
Status: Golang.org/x/net/html
Vendor: CVE Published:; 22 May 2026

🔔 Create Golang.org/x/net Vulnerability Alert

What is CVE-2026-25681?

This vulnerability involves the parsing of arbitrary HTML, which upon rendering can produce an unexpected DOM structure. Malicious actors may exploit this flaw in applications that employ input sanitization, which is intended to remove unsafe HTML, leading to potential Cross-Site Scripting (XSS) attacks. Developers utilizing the affected versions of the Go programming language should be vigilant about the security implications and implement necessary patches or upgrade to secure versions to mitigate risks.

Affected Version(s)

golang.org/x/net/html 0 < 0.55.0

References

https://go.dev/issue/79574

https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8

https://go.dev/cl/781703

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
Feb 5, 2026

Credit

ensy

CVE-2026-25681 Data

JSON