PatchSiren cyber security CVE debrief

CVE-2026-42502 golang.org/x/net CVE debrief

A cross-site scripting (XSS) vulnerability in Go's golang.org/x/net/html package allows attackers to bypass HTML sanitization by crafting input that produces an unexpected HTML tree when parsed and subsequently rendered. The flaw affects applications that parse arbitrary HTML and then render it using the Render function, where the parser's output tree structure differs from what sanitizers expect. The vulnerability is classified as CWE-1021 (Improper Restriction of Rendered UI Layers or Frames). Affected versions are prior to 0.55.0 of the golang:net module. The issue was published on 2026-05-22 and last modified on 2026-05-29. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.

Vendor: golang.org/x/net
Product: golang.org/x/net/html
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-22
Original CVE updated: 2026-05-29
Advisory published: 2026-05-22
Advisory updated: 2026-05-29

Who should care

Development teams using Go's golang.org/x/net/html package to parse and render untrusted HTML content, particularly those implementing custom or third-party HTML sanitization before rendering. Security engineers reviewing Go web applications that accept HTML input from users. DevOps teams managing Go module dependencies and vulnerability scanning pipelines.

Technical summary

The golang.org/x/net/html package in Go fails to produce an HTML parse tree that matches expectations of downstream sanitizers when processing crafted input. When applications parse arbitrary user-supplied HTML and then render it using the Render function, the resulting DOM structure can contain elements or attributes that the original sanitizer did not remove or neutralize. This behavior enables XSS attacks in applications that rely on pre-render sanitization as a security control. The CVSS 3.1 score of 6.1 (Medium) reflects network attack vector, low attack complexity, no privileges required, user interaction required, changed scope, and low impacts to confidentiality and integrity. The fix is available in version 0.55.0 and later.

Defensive priority

medium

Recommended defensive actions

Upgrade golang.org/x/net to version 0.55.0 or later.
Review applications that parse untrusted HTML and render it using the Render function from golang.org/x/net/html.
Validate that HTML sanitization logic correctly handles the parsed output tree structure rather than relying solely on input filtering.
Monitor the Go security announcements mailing list and Go vulnerability database for related updates.

Evidence notes

The vulnerability description and affected product information are sourced from the NVD record for CVE-2026-42502. The CWE-1021 classification and CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) are derived from NVD analysis. Version boundary information (affected versions before 0.55.0) comes from NVD CPE criteria. Official Go project references include a code change, issue tracker entry, security announcement mailing list, and the Go vulnerability database entry GO-2026-5027.

Official resources

CVE-2026-42502 CVE record
CVE.org
CVE-2026-42502 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Issue Tracking
Source reference
[email protected] - Issue Tracking
Source reference
[email protected] - Mailing List
Mitigation or vendor reference
[email protected] - Vendor Advisory

2026-05-22T16:16:20.587Z