CVE-2026-39823

Aliases:GO-2026-4982BIT-golang-2026-39823

Advisory lineage Upstream: 0 Downstream: 4

Downstream

DEBIAN-CVE-2026-39823 OPENSUSE-SU-2026:10723-1 OPENSUSE-SU-2026:10741-1 UBUNTU-CVE-2026-39823

Analyzed

Published: 07 May 2026, 19:41

Last modified:08 May 2026, 14:05

Vulnerability Summary

Overall Risk (default)

low

24/100

CVSS Score

6.1 MEDIUM

v3.1 (cve.org)

EPSS Score

0.01% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

07 May 2026, 19:41

Published

Vulnerability first disclosed

08 May 2026, 14:05

Last Modified

Vulnerability information updated

Description

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.

CVSS Metrics

v3.1•MEDIUM•Score: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 0.01%• Percentile: 1%

Techniques & Countermeasures

CWE-79•Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Systems

go standard library•html/template
< 1.25.10 | ≥ 1.26.0-0, < 1.26.3
golang•go
< 1.25.10 | ≥ 1.26.0, < 1.26.3
Go•stdlib
≥ 1.26.0-0, < 1.26.3