Cross-Site Scripting Flaw in Go Fiber Framework
CVE-2026-42554

5.3MEDIUM

Key Information:

Vendor: Gofiber
Status: Fiber
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-42554?

A Cross-Site Scripting (XSS) vulnerability exists in the Go Fiber web framework, which allows remote attackers to inject arbitrary HTML or JavaScript code. This occurs when the 'Accept: text/html' header is supplied in requests to handlers that pass attacker-controlled data to the AutoFormat() feature. The flaw arises because the developer may not explicitly opt out of raw HTML emission in certain requests. As a result, under specific conditions, an attacker can manipulate the content negotiation process and exploit the inherent design flaw of AutoFormat(). The issue has been resolved in versions 2.52.12 and 3.1.0.

Affected Version(s)

fiber < 2.52.13 < 2.52.13

fiber >= 3.0.0-beta.2, < 3.1.0 < 3.0.0-beta.2, 3.1.0

References

https://github.com/gofiber/fiber/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42554 Data

JSON

Gofiber

What is CVE-2026-42554?

Affected Version(s)

References

CVSS V4

Timeline