Cross-Site Scripting Vulnerability in Go Programming Language
CVE-2026-42502

Currently unrated

Key Information:

Vendor: Golang.org/x/net
Status: Golang.org/x/net/html
Vendor: CVE Published:; 22 May 2026

🔔 Create Golang.org/x/net Vulnerability Alert

What is CVE-2026-42502?

The vulnerability in Go's Render function arises from improper parsing of arbitrary HTML. This weakness can lead to the creation of unexpected HTML trees, which may enable attackers to carry out Cross-Site Scripting (XSS) attacks, particularly in applications that attempt to sanitize user input HTML before rendering it.

Affected Version(s)

golang.org/x/net/html 0 < 0.55.0

References

https://go.dev/issue/79572

https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8

https://go.dev/cl/781701

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

Tristan Madani

CVE-2026-42502 Data

JSON