FKIE_CVE-2026-27142

Vulnerability from fkie_nvd - Published: 2026-03-06 22:16 - Updated: 2026-03-16 16:16
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
References
security@golang.orghttps://go.dev/cl/752081
security@golang.orghttps://go.dev/issue/77954
security@golang.orghttps://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
security@golang.orghttps://pkg.go.dev/vuln/GO-2026-4603
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value \"refresh\". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow \"url=\" by setting htmlmetacontenturlescape=0."
    },
    {
      "lang": "es",
      "value": "Acciones que insertan URLs en el atributo content de las etiquetas meta HTML no se escapan. Esto puede permitir XSS si la etiqueta meta tambi\u00e9n tiene un atributo http-equiv con el valor \u0027refresh\u0027. Se ha a\u00f1adido una nueva configuraci\u00f3n GODEBUG, htmlmetacontenturlescape, que se puede usar para deshabilitar el escape de URLs en acciones en el atributo content de las etiquetas meta que siguen a \u0027url=\u0027 al establecer htmlmetacontenturlescape=0."
    }
  ],
  "id": "CVE-2026-27142",
  "lastModified": "2026-03-16T16:16:13.770",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-06T22:16:01.177",
  "references": [
    {
      "source": "security@golang.org",
      "url": "https://go.dev/cl/752081"
    },
    {
      "source": "security@golang.org",
      "url": "https://go.dev/issue/77954"
    },
    {
      "source": "security@golang.org",
      "url": "https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk"
    },
    {
      "source": "security@golang.org",
      "url": "https://pkg.go.dev/vuln/GO-2026-4603"
    }
  ],
  "sourceIdentifier": "security@golang.org",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.