CVE-2026-39823

Published: May 7, 2026

Modified: May 8, 2026

PUBLISHED

Description

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.

Vendor	Product	Versions
Go standard library	html/template	affected `0 - < 1.25.10` affected `1.26.0-0 - < 1.26.3`

References

https://go.dev/issue/78913

https://go.dev/cl/769920

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

https://pkg.go.dev/vuln/GO-2026-4982

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-39823

Description

Affected Products

References