Go html/template XSS via meta content URL unescape <1.25.8, 1.26.0
CVE-2026-27142 Published on March 6, 2026
URLs in meta content attribute actions are not escaped in html/template
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Vulnerability Analysis
CVE-2026-27142 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Products Associated with CVE-2026-27142
Want to know whenever a new CVE is published for GoLang Go? stack.watch will email you.
Affected Versions
Go standard library html/template:- Before 1.25.8 is affected.
- Version 1.26.0-0 and below 1.26.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.