CVE-2026-25681 — Invoking incorrect handling of character references in DOCTYPE nodes in golang.o

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

How to fix CVE-2026-25681

To remediate CVE-2026-25681, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 0.55.0 or later

Is CVE-2026-25681 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 0.55.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-25681
PATCHgo.dev/cl/781703
REPORTgo.dev/issue/79574
WEBgroups.google.com/g/golang-announce/c/iI-mYSI0lu8