{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27142", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-03-06T21:28:14.674Z", "dateUpdated": "2026-03-10T13:38:25.067Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-06T21:28:14.674Z"}, "title": "URLs in meta content attribute actions are not escaped in html/template", "descriptions": [{"lang": "en", "value": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0."}], "affected": [{"vendor": "Go standard library", "product": "html/template", "collectionURL": "https://pkg.go.dev", "packageName": "html/template", "versions": [{"version": "0", "lessThan": "1.25.8", "status": "affected", "versionType": "semver"}, {"version": "1.26.0-0", "lessThan": "1.26.1", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "tTag"}, {"name": "escaper.escapeAction"}, {"name": "Template.Execute"}, {"name": "Template.ExecuteTemplate"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://go.dev/issue/77954"}, {"url": "https://go.dev/cl/752081"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4603"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:37:43.593043Z", "id": "CVE-2026-27142", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:38:25.067Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27142", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T13:37:43.593043Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:38:17.936Z"}}], "cna": {"title": "URLs in meta content attribute actions are not escaped in html/template", "affected": [{"vendor": "Go standard library", "product": "html/template", "versions": [{"status": "affected", "version": "0", "lessThan": "1.25.8", "versionType": "semver"}, {"status": "affected", "version": "1.26.0-0", "lessThan": "1.26.1", "versionType": "semver"}], "packageName": "html/template", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "tTag"}, {"name": "escaper.escapeAction"}, {"name": "Template.Execute"}, {"name": "Template.ExecuteTemplate"}]}], "references": [{"url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"url": "https://go.dev/issue/77954"}, {"url": "https://go.dev/cl/752081"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4603"}], "descriptions": [{"lang": "en", "value": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-03-06T21:28:14.674Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27142", "state": "PUBLISHED", "dateUpdated": "2026-03-10T13:38:25.067Z", "dateReserved": "2026-02-17T19:57:28.435Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-03-06T21:28:14.674Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0."}, {"lang": "es", "value": "Acciones que insertan URLs en el atributo content de las etiquetas meta HTML no se escapan. Esto puede permitir XSS si la etiqueta meta tambi\u00e9n tiene un atributo http-equiv con el valor 'refresh'. Se ha a\u00f1adido una nueva configuraci\u00f3n GODEBUG, htmlmetacontenturlescape, que se puede usar para deshabilitar el escape de URLs en acciones en el atributo content de las etiquetas meta que siguen a 'url=' al establecer htmlmetacontenturlescape=0."}], "id": "CVE-2026-27142", "lastModified": "2026-03-10T18:18:44.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-06T22:16:01.177", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/752081"}, {"source": "security@golang.org", "url": "https://go.dev/issue/77954"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4603"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{}