Cross-Site Scripting Vulnerability in Go Language's Meta Tag Handling
CVE-2026-39823

Currently unrated

Key Information:

Vendor: Go Standard Library
Status: Html/template
Vendor: CVE Published:; 7 May 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-39823?

A vulnerability exists in the Go Language's handling of URLs within the tag's attribute. When ASCII whitespace characters are improperly inserted around the '=' character, the escaping mechanism fails, which can enable the possibility of Cross-Site Scripting (XSS) attacks. This flaw could allow malicious users to inject executable scripts, compromising the security of web applications that utilize this functionality. It is crucial for developers to ensure proper escaping of URL content to mitigate these risks and enhance the security posture of their applications.

Affected Version(s)

html/template 0 < 1.25.10

html/template 1.26.0-0 < 1.26.3

References

https://go.dev/issue/78913

https://go.dev/cl/769920

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Samy Ghannad

CVE-2026-39823 Data

JSON