CVE-2026-42506 — Invoking incorrect handling of namespaced elements in foreign content in golang.

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

How to fix CVE-2026-42506

To remediate CVE-2026-42506, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 0.55.0 or later

Is CVE-2026-42506 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 0.55.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-42506
PATCHgo.dev/cl/781700
REPORTgo.dev/issue/79571
WEBgroups.google.com/g/golang-announce/c/iI-mYSI0lu8