Go html/template XSS via meta content URL unescape <1.25.8, 1.26.0
CVE-2026-27142 Published on March 6, 2026
URLs in meta content attribute actions are not escaped in html/template
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Products Associated with CVE-2026-27142
Want to know whenever a new CVE is published for GoLang Go? stack.watch will email you.
Affected Versions
Go standard library html/template:- Before 1.25.8 is affected.
- Version 1.26.0-0 and below 1.26.1 is affected.