CVE-2026-27136

Published: May 22, 2026

Modified: May 22, 2026

PUBLISHED

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Vendor	Product	Versions
golang.org/x/net	golang.org/x/net/html	affected `0 - < 0.55.0`

References

https://go.dev/issue/79575

https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8

https://go.dev/cl/781685

https://pkg.go.dev/vuln/GO-2026-5030

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-27136

Description

Affected Products

References