Arbitrary HTML Parsing Vulnerability in Go's HTML Rendering
CVE-2026-42506

Currently unrated

Key Information:

Vendor: Golang.org/x/net
Status: Golang.org/x/net/html
Vendor: CVE Published:; 22 May 2026

🔔 Create Golang.org/x/net Vulnerability Alert

What is CVE-2026-42506?

The vulnerability allows for the parsing of arbitrary HTML, which can lead to the construction of an unpredictable HTML tree. This flaw can be exploited in applications that employ HTML sanitization before rendering, potentially allowing for the execution of cross-site scripting (XSS) attacks. Developers using affected versions should review their HTML rendering processes to bolster security against such vulnerabilities.

Affected Version(s)

golang.org/x/net/html 0 < 0.55.0

References

https://go.dev/issue/79571

https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8

https://go.dev/cl/781700

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

ensy

CVE-2026-42506 Data

JSON