CVE-2026-27142: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Go standard library html/template
CVE-2026-27142 is a medium severity cross-site scripting (XSS) vulnerability in the Go standard library's html/template package. It occurs because URLs inserted into the content attribute of HTML meta tags are not properly escaped when the meta tag includes an http-equiv attribute with the value "refresh". This improper neutralization can allow an attacker to inject malicious scripts. A new GODEBUG setting, htmlmetacontenturlescape, has been introduced to control escaping behavior for URLs in meta content attributes. No official patch or fix details are provided in the available data.
AI Analysis
Technical Summary
The vulnerability in Go's html/template package arises from improper escaping of URLs inserted into the content attribute of HTML meta tags that also have an http-equiv="refresh" attribute. This can lead to cross-site scripting (CWE-79) attacks. The issue affects Go versions up to 1.26.0-0. A new environment variable setting, htmlmetacontenturlescape, allows disabling escaping of URLs in these contexts, which may influence mitigation strategies. The CVSS 3.1 base score is 6.1, indicating medium severity, with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low confidentiality and integrity impact.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected web application by injecting malicious content into meta refresh tags. This can lead to partial confidentiality and integrity impacts as indicated by the CVSS vector. There is no indication of availability impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The new GODEBUG setting htmlmetacontenturlescape can be used to control escaping behavior, but its use may disable escaping and potentially increase risk if misconfigured. Users should monitor official Go project advisories for updates or patches addressing this vulnerability. Until a fix is available, carefully review and sanitize any user-controlled input that may be inserted into meta refresh content attributes.
CVE-2026-27142: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Go standard library html/template
Description
CVE-2026-27142 is a medium severity cross-site scripting (XSS) vulnerability in the Go standard library's html/template package. It occurs because URLs inserted into the content attribute of HTML meta tags are not properly escaped when the meta tag includes an http-equiv attribute with the value "refresh". This improper neutralization can allow an attacker to inject malicious scripts. A new GODEBUG setting, htmlmetacontenturlescape, has been introduced to control escaping behavior for URLs in meta content attributes. No official patch or fix details are provided in the available data.
CVSS v3.1
Score 6.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Go's html/template package arises from improper escaping of URLs inserted into the content attribute of HTML meta tags that also have an http-equiv="refresh" attribute. This can lead to cross-site scripting (CWE-79) attacks. The issue affects Go versions up to 1.26.0-0. A new environment variable setting, htmlmetacontenturlescape, allows disabling escaping of URLs in these contexts, which may influence mitigation strategies. The CVSS 3.1 base score is 6.1, indicating medium severity, with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low confidentiality and integrity impact.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected web application by injecting malicious content into meta refresh tags. This can lead to partial confidentiality and integrity impacts as indicated by the CVSS vector. There is no indication of availability impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The new GODEBUG setting htmlmetacontenturlescape can be used to control escaping behavior, but its use may disable escaping and potentially increase risk if misconfigured. Users should monitor official Go project advisories for updates or patches addressing this vulnerability. Until a fix is available, carefully review and sanitize any user-controlled input that may be inserted into meta refresh content attributes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Go
- Date Reserved
- 2026-02-17T19:57:28.435Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 69ab4b1fc48b3f10ffddeb19
Added to database: 3/6/2026, 9:46:07 PM
Last enriched: 6/3/2026, 9:22:42 PM
Last updated: 6/5/2026, 9:36:23 AM
Views: 202
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.