CVE-2026-42502 — Invoking incorrect handling of HTML elements in foreign content in golang.org/x/

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

How to fix CVE-2026-42502

To remediate CVE-2026-42502, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 0.55.0 or later

Is CVE-2026-42502 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 0.55.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-42502
PATCHgo.dev/cl/781701
REPORTgo.dev/issue/79572
WEBgroups.google.com/g/golang-announce/c/iI-mYSI0lu8