{"id":"GO-2026-4440","summary":"Quadratic parsing complexity in golang.org/x/net/html","details":"The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.","aliases":["CVE-2025-47911","GHSA-w4gw-w5jq-g9jh"],"modified":"2026-05-15T10:59:23.883331519Z","published":"2026-02-05T17:23:14Z","related":["CGA-mhf2-24x8-jgh8","RHSA-2026:7291","RHSA-2026:7385"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4440","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/709876"},{"type":"REPORT","url":"https://github.com/golang/vulndb/issues/4440"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"}],"affected":[{"package":{"name":"golang.org/x/net","ecosystem":"Go","purl":"pkg:golang/golang.org/x/net"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.45.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Parse","ParseFragment","ParseFragmentWithOptions","ParseWithOptions","parser.parse"],"path":"golang.org/x/net/html"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4440.json"}}],"schema_version":"1.7.3","credits":[{"name":"Guido Vranken"},{"name":"Jakub Ciolek"}]}