CVE-2026-42554
Received Received - Intake
Cross-Site Scripting in Go Fiber Framework

Publication date: 2026-05-11

Last updated on: 2026-05-18

Assigner: GitHub, Inc.

Description
Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply." This vulnerability is fixed in 2.52.12 and 3.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-18
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-42554
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gofiber fiber From 3.0.0 (inc) to 3.1.0 (exc)
gofiber fiber to 2.52.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Fiber web framework for Go, specifically in versions prior to 2.52.12 and 3.1.0. It is a Cross-Site Scripting (XSS) vulnerability that allows a remote attacker to inject arbitrary HTML or JavaScript code. The attack occurs when the attacker sends a request with the header Accept: text/html to any handler that passes attacker-controlled data to the AutoFormat() feature. Although developers use AutoFormat() expecting safe, format-agnostic responses, Fiber mistakenly chooses the HTML branch based on the attacker-controlled Accept header, leading to unsafe raw HTML emission.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary HTML or JavaScript in the context of the victim's browser. This can lead to theft of sensitive information such as cookies or session tokens, unauthorized actions performed on behalf of the user, or the delivery of malicious payloads. Since the vulnerability is remotely exploitable without authentication, it poses a significant risk to applications using vulnerable versions of Fiber.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Fiber web framework to version 2.52.12 or later, or 3.1.0 or later, where the Cross-Site Scripting issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42554. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart