MEDIUM
Gofiber
CVE published 2026-05-11
CVE-2026-42554
A Cross-Site Scripting (XSS) vulnerability in the Go Fiber web framework allows remote attackers to inject arbitrary HTML/JavaScript by supplying an `Accept: text/html` header on requests whose handlers pass attacker-influenced data to the `AutoFormat()` feature. The vulnerability exists because `AutoFormat()` performs content negotiation based on the attacker-controlled `Accept` header, and when `text/ht [truncated]