CVE-2026-42554
Cross-Site Scripting in Go Fiber Framework
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Fiber web framework for Go, specifically in versions prior to 2.52.12 and 3.1.0. It is a Cross-Site Scripting (XSS) vulnerability that allows a remote attacker to inject arbitrary HTML or JavaScript code. The attack occurs when the attacker sends a request with the header Accept: text/html to any handler that passes attacker-controlled data to the AutoFormat() feature. Although developers use AutoFormat() expecting safe, format-agnostic responses, Fiber mistakenly chooses the HTML branch based on the attacker-controlled Accept header, leading to unsafe raw HTML emission.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary HTML or JavaScript in the context of the victim's browser. This can lead to theft of sensitive information such as cookies or session tokens, unauthorized actions performed on behalf of the user, or the delivery of malicious payloads. Since the vulnerability is remotely exploitable without authentication, it poses a significant risk to applications using vulnerable versions of Fiber.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Fiber web framework to version 2.52.12 or later, or 3.1.0 or later, where the Cross-Site Scripting issue has been fixed.