CVE-2026-39823
Meta Tag XSS in Go HTML Template
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 1.25.10 (exc) |
| golang | go | From 1.26.0 (inc) to 1.26.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to cross-site scripting (XSS) attacks, where an attacker can inject malicious scripts into web pages generated using the affected Go html/template package.
Such XSS attacks can compromise the security of users by executing arbitrary scripts in their browsers, potentially stealing sensitive information, hijacking user sessions, or performing other malicious actions.
Can you explain this vulnerability to me?
CVE-2026-39823 is a vulnerability in the Go standard library package html/template that involves incorrect escaping of URLs within the <content> attribute of a <meta> tag.
Specifically, if a URL contains ASCII whitespace characters around the '=' character inside the <content> attribute, the escaping mechanism fails to properly escape it. This failure can lead to a cross-site scripting (XSS) vulnerability.
The vulnerability is a bypass of a previous fix (CVE-2026-27142) that attempted to sanitize whitespace in dynamic inputs before escaping. The affected functions include Template.Execute and Template.ExecuteTemplate.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper escaping of URLs within the <content> attribute of <meta> tags in HTML generated by the Go html/template package. Detection would involve inspecting HTML output for <meta> tags where the URL in the content attribute contains ASCII whitespace around the '=' character.
Since the vulnerability is related to template execution in Go, you can detect it by reviewing or testing the output of Template.Execute or Template.ExecuteTemplate functions for unescaped URLs with whitespace around '=' in <meta> tags.
There are no specific commands provided in the resources to detect this vulnerability on a network or system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability was fixed in Go versions 1.25.10 and 1.26.3. Immediate mitigation involves upgrading your Go environment to at least these versions or later.
Ensure that your applications using the html/template package are rebuilt and redeployed with the updated Go versions that include the fix.
Review your use of Template.Execute and Template.ExecuteTemplate functions to confirm that they are not producing unescaped URLs with ASCII whitespace around '=' in <meta> tag content attributes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-39823 is a cross-site scripting (XSS) issue in the Go html/template package caused by improper escaping of URLs within the <content> attribute of a <meta> tag. XSS vulnerabilities can potentially lead to unauthorized access or manipulation of user data.
Such vulnerabilities may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure. If exploited, this XSS vulnerability could be used to steal user credentials, session tokens, or other sensitive data, thereby violating these compliance requirements.
However, the provided information does not explicitly discuss compliance impacts or mitigation strategies related to these standards.