CVE-2026-39823

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://go.dev/cl/769920	Patch
https://go.dev/issue/78913	Issue Tracking
https://groups.google.com/g/golang-announce/c/qcCIEXso47M	Release Notes
https://pkg.go.dev/vuln/GO-2026-4982	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

History

13 May 2026, 16:58

Type	Values Removed	Values Added
CPE		cpe:2.3:a:golang:go::::::::
First Time		Golang Golang go
CWE		CWE-79
References	~~() https://go.dev/cl/769920 -~~	() https://go.dev/cl/769920 - Patch
References	~~() https://go.dev/issue/78913 -~~	() https://go.dev/issue/78913 - Issue Tracking
References	~~() https://groups.google.com/g/golang-announce/c/qcCIEXso47M -~~	() https://groups.google.com/g/golang-announce/c/qcCIEXso47M - Release Notes
References	~~() https://pkg.go.dev/vuln/GO-2026-4982 -~~	() https://pkg.go.dev/vuln/GO-2026-4982 - Vendor Advisory

08 May 2026, 15:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1

07 May 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-07 20:16

Updated : 2026-05-13 16:58

NVD link : CVE-2026-39823

Mitre link : CVE-2026-39823

CVE.ORG link : CVE-2026-39823

JSON object : View

Products Affected

golang

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10