{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27142", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-03-06T21:28:14.674Z", "dateUpdated": "2026-03-16T15:21:14.465Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-06T21:28:14.674Z"}, "title": "URLs in meta content attribute actions are not escaped in html/template", "descriptions": [{"lang": "en", "value": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0."}], "affected": [{"vendor": "Go standard library", "product": "html/template", "collectionURL": "https://pkg.go.dev", "packageName": "html/template", "versions": [{"version": "0", "lessThan": "1.25.8", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.1", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "tTag"}, {"name": "escaper.escapeAction"}, {"name": "Template.Execute"}, {"name": "Template.ExecuteTemplate"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://go.dev/issue/77954"}, {"url": "https://go.dev/cl/752081"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4603"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T15:21:11.058826Z", "id": "CVE-2026-27142", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:21:14.465Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27142", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T15:21:11.058826Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:38:17.936Z"}}], "cna": {"title": "URLs in meta content attribute actions are not escaped in html/template", "affected": [{"vendor": "Go standard library", "product": "html/template", "versions": [{"status": "affected", "version": "0", "lessThan": "1.25.8", "versionType": "semver"}, {"status": "affected", "version": "1.26.0-0", "lessThan": "1.26.1", "versionType": "semver"}], "packageName": "html/template", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "tTag"}, {"name": "escaper.escapeAction"}, {"name": "Template.Execute"}, {"name": "Template.ExecuteTemplate"}]}], "references": [{"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://go.dev/issue/77954"}, {"url": "https://go.dev/cl/752081"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4603"}], "descriptions": [{"lang": "en", "value": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-06T21:28:14.674Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27142", "state": "PUBLISHED", "dateUpdated": "2026-03-16T15:21:14.465Z", "dateReserved": "2026-02-17T19:57:28.435Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-03-06T21:28:14.674Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D293CC0-B163-4E62-B985-52FB6ECA64C5", "versionEndExcluding": "1.25.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:1.26.0:*:*:*:*:*:*:*", "matchCriteriaId": "A40FE3CB-0D03-462B-8A19-4DF1920ABE82", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0."}, {"lang": "es", "value": "Acciones que insertan URLs en el atributo content de las etiquetas meta HTML no se escapan. Esto puede permitir XSS si la etiqueta meta tambi\u00e9n tiene un atributo http-equiv con el valor 'refresh'. Se ha a\u00f1adido una nueva configuraci\u00f3n GODEBUG, htmlmetacontenturlescape, que se puede usar para deshabilitar el escape de URLs en acciones en el atributo content de las etiquetas meta que siguen a 'url=' al establecer htmlmetacontenturlescape=0."}], "id": "CVE-2026-27142", "lastModified": "2026-04-21T14:30:01.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-06T22:16:01.177", "references": [{"source": "security@golang.org", "tags": ["Mailing List"], "url": "https://go.dev/cl/752081"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/77954"}, {"source": "security@golang.org", "tags": ["Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2026-4603"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "html/template: URLs in meta content attribute actions are not escaped in html/template", "id": "2445351", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445351"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27142", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-03-06T21:28:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27142\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27142\nhttps://go.dev/cl/752081\nhttps://go.dev/issue/77954\nhttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk\nhttps://pkg.go.dev/vuln/GO-2026-4603"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.25.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.0-0,1.26.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "html/template", "source": "cna", "vendor": "Go standard library"}, "product": "html/template", "vendor": "go_standard_library"}], "analysis": {"en": {"generated_at": "2026-04-16T04:35:24.882476+00:00", "value": {"mitigation_remediation": ["Upgrade the Go runtime and compiler to the latest stable release that includes the fix for unescaped URLs in meta content attributes.", "Ensure the GODEBUG environment variable htmlmetacontenturlescape is set to its default value (1) so that URLs are escaped, and avoid disabling this setting.", "Review and modify any template code that generates meta tags with dynamic URLs; escape or validate the URLs using standard library functions before inserting them into the content attribute, and remove http-equiv=\"refresh\" unless absolutely necessary."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011site scripting exploitation"}, "threat_synthesis": {"affected_systems": "The affected component is the Go standard library\u2019s html/template package used when rendering web pages. No specific product version is mentioned in the public data, but any Go installation that uses html/template to generate meta tags with dynamic URLs is potentially vulnerable until the library is updated to the patched release.", "description_and_impact": "The Go standard library\u2019s html/template package does not escape URLs that are inserted into the content attribute of meta tags. If a template renders a meta tag containing http-equiv=\"refresh\" with a URL supplied from user input, the unescaped URL can be hijacked to inject arbitrary payloads, enabling a client\u2011side cross\u2011site scripting (XSS) attack. The flaw involves CWE\u201179 and allows an attacker to execute arbitrary JavaScript in the context of the victim\u2019s browser.", "risk_and_exploitability": "The flaw is scored as CVSS 6.1, indicating a moderate severity, and the EPSS score is below 1\u202f%, suggesting low current exploitation probability. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would require the attacker to influence the content passed to the template, such as through a form or URL parameter, and the attack vector is most likely client\u2011side via a web page that includes a meta\u2011refresh tag. Successful exploitation could lead to credential theft, session hijacking, or other XSS\u2011based damage in the victim\u2019s browser."}}}}, "created": "2026-03-09T10:06:16.293055+00:00", "updated": "2026-04-16T04:45:16.125592+00:00", "vendors": ["go_standard_library", "go_standard_library$PRODUCT$html/template"]}