CVE-2026-42506 golang.org/x/net CVE debrief

Who should care

Development teams using Go for web applications that accept and display HTML content; security engineers reviewing HTML sanitization pipelines; DevOps teams managing Go module dependencies.

Technical summary

The Go `golang.org/x/net/html` package constructs HTML DOM trees that may deviate from expectations when processing malformed or edge-case HTML input. If an application parses untrusted HTML, sanitizes it based on assumptions about parser behavior, then renders the result, the rendered output may contain executable scripts or other XSS payloads. The attack requires network access, user interaction with a malicious page, and affects confidentiality and integrity with low impact per the CVSS vector. Scope is changed (S:C) indicating the vulnerable component impacts resources beyond its security authority. No availability impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade golang.org/x/net to version 0.55.0 or later.
• Audit applications that parse untrusted HTML and render it using `html/template` or similar rendering paths for unexpected DOM structures.
• Review HTML sanitization logic to ensure it operates on the parsed DOM rather than raw input strings, or validate output after rendering.
• Monitor golang-announce mailing list and Go security advisories for related follow-up fixes.

Evidence notes

NVD analyzed status confirmed as of 2026-05-29. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness. Affected versions: golang:net prior to 0.55.0 for Go.

Official resources