CVE-2026-27142

URLs in meta content attribute actions are not escaped in html/template

CVSS 6.1 MEDIUMEPSS 0.3%

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.1EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

06 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

Go standard library · html/template

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://go.dev/cl/752081 https://go.dev/issue/77954 https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk https://pkg.go.dev/vuln/GO-2026-4603