JustAppSec
UNKNOWN Severity

CVE-2026-27142

Last updated Mar 06, 2026 · Published Mar 06, 2026

← Back to list

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected products

1 listed
  • Go standard library:html/template

Mappings

CWE

CWE-79

CAPEC

None listed.

CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms

Need help?Get in touch.