CVE-2026-27142 is a cross-site scripting vulnerability (CWE-79) found in the Go programming language's standard library, specifically in the html/template package used for generating HTML content safely. The issue occurs because when URLs are inserted into the content attribute of HTML meta tags, they are not properly escaped if the meta tag also contains an http-equiv attribute set to "refresh." This combination allows an attacker to craft malicious URLs that, when rendered by a vulnerable application, can execute arbitrary JavaScript in the context of the victim's browser. The vulnerability affects all Go versions up to and including 1.26.0-0. The Go team introduced a new GODEBUG environment variable named htmlmetacontenturlescape, which can disable escaping of URLs in meta content attributes following "url=", by setting htmlmetacontenturlescape=0. While this setting provides backward compatibility, disabling escaping increases the risk of XSS exploitation. The vulnerability has a CVSS v3.1 base score of 6.1, indicating medium severity, with an attack vector of network, low attack complexity, no privileges required, but requiring user interaction. The scope is changed, and the impact affects confidentiality and integrity partially, but not availability. No public exploits have been reported yet, but the vulnerability poses a risk to web applications using Go's html/template for dynamic HTML generation, especially those that rely on meta refresh tags with URLs. Proper escaping of URLs in meta tags is critical to prevent injection of malicious scripts that could hijack user sessions or steal sensitive data.

This vulnerability can lead to cross-site scripting attacks, allowing attackers to execute arbitrary JavaScript in users' browsers when they visit affected web pages. The impact includes potential theft of sensitive information such as session cookies, user credentials, or other confidential data accessible via the browser context. It can also enable attackers to perform actions on behalf of users (integrity impact) or manipulate page content. Although availability is not directly affected, successful XSS can facilitate phishing, drive-by downloads, or further exploitation. Organizations using Go's html/template package in web applications that generate meta refresh tags with URLs are at risk. The vulnerability's medium severity and requirement for user interaction mean that exploitation is feasible but not trivial. The scope change indicates that the vulnerability can affect components beyond the immediate vulnerable code, potentially impacting multiple parts of an application or system. Without proper mitigation, attackers could leverage this flaw to compromise user trust and application security.

1. Upgrade to a Go version beyond 1.26.0-0 once an official patch is released that properly escapes URLs in meta content attributes with http-equiv="refresh". 2. Avoid using meta refresh tags with URLs in dynamic content generated via html/template until the issue is resolved. 3. If disabling escaping via the GODEBUG htmlmetacontenturlescape=0 setting is necessary for compatibility, ensure additional input validation and sanitization are applied to all user-supplied URLs to prevent injection. 4. Implement Content Security Policy (CSP) headers to restrict script execution sources and mitigate impact of potential XSS. 5. Conduct thorough code reviews focusing on template usage and input handling related to meta tags. 6. Educate developers about the risks of disabling escaping and encourage safe template practices. 7. Monitor web application logs and user reports for suspicious activity indicative of XSS exploitation attempts. 8. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with rules targeting meta tag XSS patterns as an additional layer of defense.