{"id":"GO-2026-4982","summary":"Bypass of meta content URL escaping causes XSS in html/template","details":"CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a \u003cmeta\u003e tag's \u003ccontent\u003e attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the \u003ccontent\u003e attribute, the escaper would fail to similarly escape it, leading to XSS.","aliases":["BIT-golang-2026-39823","CVE-2026-39823"],"modified":"2026-05-11T08:11:21.041304281Z","published":"2026-05-07T19:21:40Z","related":["CGA-x3r8-cgg4-9q3g"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4982"},"references":[{"type":"REPORT","url":"https://go.dev/issue/78913"},{"type":"FIX","url":"https://go.dev/cl/769920"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/qcCIEXso47M"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.25.10"},{"introduced":"1.26.0-0"},{"fixed":"1.26.3"}]}],"ecosystem_specific":{"imports":[{"path":"html/template","symbols":["Template.Execute","Template.ExecuteTemplate","tMetaContent"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4982.json"}}],"schema_version":"1.7.5","credits":[{"name":"Samy Ghannad"}]}