CVE-2026-27142

ADVISORY - nist

Summary

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-noinfo⁠

Impacted images

Advisories

GoLang

CREATED

9 hours ago

UPDATED

9 hours ago

ADVISORY IDGO-2026-4603⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Package	Type	OS Name	OS Version	Affected Ranges	Fix Versions
stdlib	golang	-	-	<1.25.8	1.25.8
stdlib	golang	-	-	>=1.26.0-0,<1.26.1	1.26.1

Severity and metrics

No CVSS data available from this advisory.

NIST

CREATED

8 hours ago

UPDATED

8 hours ago

ADVISORY IDCVE-2026-27142⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

RATING UNAVAILABLE FROM ADVISORY

Alpine

CREATED

20 hours ago

UPDATED

20 hours ago

ADVISORY IDCVE-2026-27142⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Debian

CREATED

7 hours ago

UPDATED

2 hours ago

ADVISORY IDCVE-2026-27142⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY