Search

Find a vulnerability

Search criteria

    20 vulnerabilities found for golang.org/x/net/html by golang.org/x/net

    CVE-2026-42506 (GCVE-0-2026-42506)

    Vulnerability from nvd – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:45
    VLAI
    Title
    Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
    Summary
    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.55.0 (semver)
    Create a notification for this product.
    Credits
    ensy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42506",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T17:45:29.886387Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T17:45:49.989Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parser.parse"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.55.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "ensy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:01:21.056Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/79571"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
            },
            {
              "url": "https://go.dev/cl/781700"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-5025"
            }
          ],
          "title": "Invoking  incorrect handling of namespaced elements in foreign content in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-42506",
        "datePublished": "2026-05-22T15:01:21.056Z",
        "dateReserved": "2026-04-28T00:21:12.792Z",
        "dateUpdated": "2026-05-22T17:45:49.989Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42502 (GCVE-0-2026-42502)

    Vulnerability from nvd – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:17
    VLAI
    Title
    Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
    Summary
    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.55.0 (semver)
    Create a notification for this product.
    Credits
    Tristan Madani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42502",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T17:16:33.414557Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T17:17:20.637Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parser.parse"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.55.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Tristan Madani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:01:21.649Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/79572"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
            },
            {
              "url": "https://go.dev/cl/781701"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-5027"
            }
          ],
          "title": "Invoking  incorrect handling of HTML elements in foreign content in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-42502",
        "datePublished": "2026-05-22T15:01:21.649Z",
        "dateReserved": "2026-04-28T00:21:12.791Z",
        "dateUpdated": "2026-05-22T17:17:20.637Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-27136 (GCVE-0-2026-27136)

    Vulnerability from nvd – Published: 2026-05-22 15:01 – Updated: 2026-05-22 16:59
    VLAI
    Title
    Invoking duplicate attributes can cause XSS in golang.org/x/net/html
    Summary
    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.55.0 (semver)
    Create a notification for this product.
    Credits
    ensy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-27136",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:59:35.355098Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:59:52.807Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parser.parse"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.55.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "ensy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:01:22.111Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/79575"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
            },
            {
              "url": "https://go.dev/cl/781685"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-5030"
            }
          ],
          "title": "Invoking  duplicate attributes can cause XSS in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-27136",
        "datePublished": "2026-05-22T15:01:22.111Z",
        "dateReserved": "2026-02-17T19:57:28.434Z",
        "dateUpdated": "2026-05-22T16:59:52.807Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25681 (GCVE-0-2026-25681)

    Vulnerability from nvd – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:46
    VLAI
    Title
    Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
    Summary
    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.55.0 (semver)
    Create a notification for this product.
    Credits
    ensy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25681",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T17:46:00.775026Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T17:46:20.366Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parser.parse"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.55.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "ensy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:01:21.975Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/79574"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
            },
            {
              "url": "https://go.dev/cl/781703"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-5029"
            }
          ],
          "title": "Invoking  incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-25681",
        "datePublished": "2026-05-22T15:01:21.975Z",
        "dateReserved": "2026-02-05T01:35:43.738Z",
        "dateUpdated": "2026-05-22T17:46:20.366Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25680 (GCVE-0-2026-25680)

    Vulnerability from nvd – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:00
    VLAI
    Title
    Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
    Summary
    Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.55.0 (semver)
    Create a notification for this product.
    Credits
    IPC Labs
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25680",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T17:00:30.926552Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T17:00:35.395Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parser.parse"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.55.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "IPC Labs"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-407: Inefficient Algorithmic Complexity",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:01:21.805Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/cl/781702"
            },
            {
              "url": "https://go.dev/issue/79573"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-5028"
            }
          ],
          "title": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-25680",
        "datePublished": "2026-05-22T15:01:21.805Z",
        "dateReserved": "2026-02-05T01:35:43.737Z",
        "dateUpdated": "2026-05-22T17:00:35.395Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-58190 (GCVE-0-2025-58190)

    Vulnerability from nvd – Published: 2026-02-05 17:48 – Updated: 2026-02-12 15:22
    VLAI
    Title
    Infinite parsing loop in golang.org/x/net
    Summary
    The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-835 - Loop with Unreachable Exit Condition
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.45.0 (semver)
    Create a notification for this product.
    Credits
    Guido Vranken
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58190",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T15:22:10.801204Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-12T15:22:37.685Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "inRowIM"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.45.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Guido Vranken"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-835: Loop with Unreachable Exit Condition",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-05T17:48:44.693Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"
            },
            {
              "url": "https://github.com/golang/vulndb/issues/4441"
            },
            {
              "url": "https://go.dev/cl/709875"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-4441"
            }
          ],
          "title": "Infinite parsing loop in golang.org/x/net"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2025-58190",
        "datePublished": "2026-02-05T17:48:44.693Z",
        "dateReserved": "2025-08-27T14:50:58.692Z",
        "dateUpdated": "2026-02-12T15:22:37.685Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47911 (GCVE-0-2025-47911)

    Vulnerability from nvd – Published: 2026-02-05 17:48 – Updated: 2026-02-12 15:23
    VLAI
    Title
    Quadratic parsing complexity in golang.org/x/net/html
    Summary
    The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.45.0 (semver)
    Create a notification for this product.
    Credits
    Guido Vranken Jakub Ciolek
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47911",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T15:23:40.307728Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-12T15:23:55.509Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parser.parse"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.45.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Guido Vranken"
            },
            {
              "lang": "en",
              "value": "Jakub Ciolek"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-05T17:48:44.562Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/cl/709876"
            },
            {
              "url": "https://github.com/golang/vulndb/issues/4440"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-4440"
            }
          ],
          "title": "Quadratic parsing complexity in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2025-47911",
        "datePublished": "2026-02-05T17:48:44.562Z",
        "dateReserved": "2025-05-13T23:31:29.597Z",
        "dateUpdated": "2026-02-12T15:23:55.509Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-22872 (GCVE-0-2025-22872)

    Vulnerability from nvd – Published: 2025-04-16 17:13 – Updated: 2025-05-16 23:03
    VLAI
    Title
    Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
    Summary
    The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.38.0 (semver)
    Create a notification for this product.
    Credits
    Sean Ng (https://ensy.zip)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22872",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T20:14:29.607584Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T20:15:13.433Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-05-16T23:03:07.693Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20250516-0007/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "Tokenizer.readStartTag"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                },
                {
                  "name": "Tokenizer.Next"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.38.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Sean Ng (https://ensy.zip)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts)."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-16T17:13:02.550Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/cl/662715"
            },
            {
              "url": "https://go.dev/issue/73070"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2025-3595"
            }
          ],
          "title": "Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2025-22872",
        "datePublished": "2025-04-16T17:13:02.550Z",
        "dateReserved": "2025-01-08T19:11:42.834Z",
        "dateUpdated": "2025-05-16T23:03:07.693Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-45338 (GCVE-0-2024-45338)

    Vulnerability from nvd – Published: 2024-12-18 20:38 – Updated: 2025-02-21 18:03
    VLAI
    Title
    Non-linear parsing of case-insensitive content in golang.org/x/net/html
    Summary
    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-405 - Asymmetric Resource Consumption (Amplification)
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.33.0 (semver)
    Create a notification for this product.
    Credits
    Guido Vranken
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45338",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-31T19:51:42.228627Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1333",
                    "description": "CWE-1333 Inefficient Regular Expression Complexity",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-31T19:55:04.864Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-02-21T18:03:32.301Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20250221-0001/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parseDoctype"
                },
                {
                  "name": "htmlIntegrationPoint"
                },
                {
                  "name": "inTableIM"
                },
                {
                  "name": "inBodyIM"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.33.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Guido Vranken"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-18T20:38:22.660Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/cl/637536"
            },
            {
              "url": "https://go.dev/issue/70906"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2024-3333"
            }
          ],
          "title": "Non-linear parsing of case-insensitive content in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2024-45338",
        "datePublished": "2024-12-18T20:38:22.660Z",
        "dateReserved": "2024-08-27T19:41:58.555Z",
        "dateUpdated": "2025-02-21T18:03:32.301Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3978 (GCVE-0-2023-3978)

    Vulnerability from nvd – Published: 2023-08-02 19:48 – Updated: 2024-09-27 21:57
    VLAI
    Title
    Improper rendering of text nodes in golang.org/x/net/html
    Summary
    Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.13.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.711Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/issue/61615"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/514896"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/vuln/GO-2023-1988"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3978",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-27T21:49:56.220204Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-27T21:57:51.807Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "render1"
                },
                {
                  "name": "Render"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-02T19:48:56.676Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/61615"
            },
            {
              "url": "https://go.dev/cl/514896"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2023-1988"
            }
          ],
          "title": "Improper rendering of text nodes in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2023-3978",
        "datePublished": "2023-08-02T19:48:56.676Z",
        "dateReserved": "2023-07-27T17:05:38.856Z",
        "dateUpdated": "2024-09-27T21:57:51.807Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-27136 (GCVE-0-2026-27136)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 16:59
    VLAI
    Title
    Invoking duplicate attributes can cause XSS in golang.org/x/net/html
    Summary
    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.55.0 (semver)
    Create a notification for this product.
    Credits
    ensy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-27136",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T16:59:35.355098Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T16:59:52.807Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parser.parse"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.55.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "ensy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:01:22.111Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/79575"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
            },
            {
              "url": "https://go.dev/cl/781685"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-5030"
            }
          ],
          "title": "Invoking  duplicate attributes can cause XSS in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-27136",
        "datePublished": "2026-05-22T15:01:22.111Z",
        "dateReserved": "2026-02-17T19:57:28.434Z",
        "dateUpdated": "2026-05-22T16:59:52.807Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25681 (GCVE-0-2026-25681)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:46
    VLAI
    Title
    Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
    Summary
    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.55.0 (semver)
    Create a notification for this product.
    Credits
    ensy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25681",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T17:46:00.775026Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T17:46:20.366Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parser.parse"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.55.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "ensy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:01:21.975Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/79574"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
            },
            {
              "url": "https://go.dev/cl/781703"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-5029"
            }
          ],
          "title": "Invoking  incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-25681",
        "datePublished": "2026-05-22T15:01:21.975Z",
        "dateReserved": "2026-02-05T01:35:43.738Z",
        "dateUpdated": "2026-05-22T17:46:20.366Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25680 (GCVE-0-2026-25680)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:00
    VLAI
    Title
    Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
    Summary
    Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-407 - Inefficient Algorithmic Complexity
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.55.0 (semver)
    Create a notification for this product.
    Credits
    IPC Labs
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25680",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T17:00:30.926552Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T17:00:35.395Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parser.parse"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.55.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "IPC Labs"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-407: Inefficient Algorithmic Complexity",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:01:21.805Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/cl/781702"
            },
            {
              "url": "https://go.dev/issue/79573"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-5028"
            }
          ],
          "title": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-25680",
        "datePublished": "2026-05-22T15:01:21.805Z",
        "dateReserved": "2026-02-05T01:35:43.737Z",
        "dateUpdated": "2026-05-22T17:00:35.395Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42502 (GCVE-0-2026-42502)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:17
    VLAI
    Title
    Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
    Summary
    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.55.0 (semver)
    Create a notification for this product.
    Credits
    Tristan Madani
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42502",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T17:16:33.414557Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T17:17:20.637Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parser.parse"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.55.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Tristan Madani"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:01:21.649Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/79572"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
            },
            {
              "url": "https://go.dev/cl/781701"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-5027"
            }
          ],
          "title": "Invoking  incorrect handling of HTML elements in foreign content in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-42502",
        "datePublished": "2026-05-22T15:01:21.649Z",
        "dateReserved": "2026-04-28T00:21:12.791Z",
        "dateUpdated": "2026-05-22T17:17:20.637Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42506 (GCVE-0-2026-42506)

    Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-22 17:45
    VLAI
    Title
    Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
    Summary
    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.55.0 (semver)
    Create a notification for this product.
    Credits
    ensy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42506",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T17:45:29.886387Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T17:45:49.989Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parser.parse"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.55.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "ensy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T15:01:21.056Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/79571"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
            },
            {
              "url": "https://go.dev/cl/781700"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-5025"
            }
          ],
          "title": "Invoking  incorrect handling of namespaced elements in foreign content in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-42506",
        "datePublished": "2026-05-22T15:01:21.056Z",
        "dateReserved": "2026-04-28T00:21:12.792Z",
        "dateUpdated": "2026-05-22T17:45:49.989Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-58190 (GCVE-0-2025-58190)

    Vulnerability from cvelistv5 – Published: 2026-02-05 17:48 – Updated: 2026-02-12 15:22
    VLAI
    Title
    Infinite parsing loop in golang.org/x/net
    Summary
    The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-835 - Loop with Unreachable Exit Condition
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.45.0 (semver)
    Create a notification for this product.
    Credits
    Guido Vranken
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-58190",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T15:22:10.801204Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-12T15:22:37.685Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "inRowIM"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.45.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Guido Vranken"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-835: Loop with Unreachable Exit Condition",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-05T17:48:44.693Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"
            },
            {
              "url": "https://github.com/golang/vulndb/issues/4441"
            },
            {
              "url": "https://go.dev/cl/709875"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-4441"
            }
          ],
          "title": "Infinite parsing loop in golang.org/x/net"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2025-58190",
        "datePublished": "2026-02-05T17:48:44.693Z",
        "dateReserved": "2025-08-27T14:50:58.692Z",
        "dateUpdated": "2026-02-12T15:22:37.685Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47911 (GCVE-0-2025-47911)

    Vulnerability from cvelistv5 – Published: 2026-02-05 17:48 – Updated: 2026-02-12 15:23
    VLAI
    Title
    Quadratic parsing complexity in golang.org/x/net/html
    Summary
    The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.45.0 (semver)
    Create a notification for this product.
    Credits
    Guido Vranken Jakub Ciolek
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47911",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T15:23:40.307728Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-12T15:23:55.509Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parser.parse"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.45.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Guido Vranken"
            },
            {
              "lang": "en",
              "value": "Jakub Ciolek"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-05T17:48:44.562Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/cl/709876"
            },
            {
              "url": "https://github.com/golang/vulndb/issues/4440"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-4440"
            }
          ],
          "title": "Quadratic parsing complexity in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2025-47911",
        "datePublished": "2026-02-05T17:48:44.562Z",
        "dateReserved": "2025-05-13T23:31:29.597Z",
        "dateUpdated": "2026-02-12T15:23:55.509Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-22872 (GCVE-0-2025-22872)

    Vulnerability from cvelistv5 – Published: 2025-04-16 17:13 – Updated: 2025-05-16 23:03
    VLAI
    Title
    Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
    Summary
    The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.38.0 (semver)
    Create a notification for this product.
    Credits
    Sean Ng (https://ensy.zip)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-22872",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T20:14:29.607584Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T20:15:13.433Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-05-16T23:03:07.693Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20250516-0007/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "Tokenizer.readStartTag"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                },
                {
                  "name": "Tokenizer.Next"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.38.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Sean Ng (https://ensy.zip)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts)."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-16T17:13:02.550Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/cl/662715"
            },
            {
              "url": "https://go.dev/issue/73070"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2025-3595"
            }
          ],
          "title": "Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2025-22872",
        "datePublished": "2025-04-16T17:13:02.550Z",
        "dateReserved": "2025-01-08T19:11:42.834Z",
        "dateUpdated": "2025-05-16T23:03:07.693Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-45338 (GCVE-0-2024-45338)

    Vulnerability from cvelistv5 – Published: 2024-12-18 20:38 – Updated: 2025-02-21 18:03
    VLAI
    Title
    Non-linear parsing of case-insensitive content in golang.org/x/net/html
    Summary
    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-405 - Asymmetric Resource Consumption (Amplification)
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.33.0 (semver)
    Create a notification for this product.
    Credits
    Guido Vranken
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45338",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-31T19:51:42.228627Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1333",
                    "description": "CWE-1333 Inefficient Regular Expression Complexity",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-31T19:55:04.864Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-02-21T18:03:32.301Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20250221-0001/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "parseDoctype"
                },
                {
                  "name": "htmlIntegrationPoint"
                },
                {
                  "name": "inTableIM"
                },
                {
                  "name": "inBodyIM"
                },
                {
                  "name": "Parse"
                },
                {
                  "name": "ParseFragment"
                },
                {
                  "name": "ParseFragmentWithOptions"
                },
                {
                  "name": "ParseWithOptions"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.33.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Guido Vranken"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-18T20:38:22.660Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/cl/637536"
            },
            {
              "url": "https://go.dev/issue/70906"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2024-3333"
            }
          ],
          "title": "Non-linear parsing of case-insensitive content in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2024-45338",
        "datePublished": "2024-12-18T20:38:22.660Z",
        "dateReserved": "2024-08-27T19:41:58.555Z",
        "dateUpdated": "2025-02-21T18:03:32.301Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3978 (GCVE-0-2023-3978)

    Vulnerability from cvelistv5 – Published: 2023-08-02 19:48 – Updated: 2024-09-27 21:57
    VLAI
    Title
    Improper rendering of text nodes in golang.org/x/net/html
    Summary
    Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/html Affected: 0 , < 0.13.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:08:50.711Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/issue/61615"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/514896"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/vuln/GO-2023-1988"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3978",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-27T21:49:56.220204Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-27T21:57:51.807Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/html",
              "product": "golang.org/x/net/html",
              "programRoutines": [
                {
                  "name": "render1"
                },
                {
                  "name": "Render"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-02T19:48:56.676Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/61615"
            },
            {
              "url": "https://go.dev/cl/514896"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2023-1988"
            }
          ],
          "title": "Improper rendering of text nodes in golang.org/x/net/html"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2023-3978",
        "datePublished": "2023-08-02T19:48:56.676Z",
        "dateReserved": "2023-07-27T17:05:38.856Z",
        "dateUpdated": "2024-09-27T21:57:51.807Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }