Medium

Go html/template meta content URL escaping bypass XSS

IdentifiersCVE-2026-39823CWE-79· Improper Neutralization of Input…

CVE-2026-39823 is a cross-site scripting vulnerability in Go's html/template package involving URL escaping within a <meta> tag's content attribute. The flaw is a bypass in the contextual escaper: when attacker-controlled URL content inserted ASCII whitespace around the '=' character inside the content attribute value, the escaper did not correctly sanitize and escape the input for that context. As a result, malformed attribute content could break out of the intended URL/value interpretation and be rendered in a way that enables script injection in generated HTML. The issue is described as related to the earlier CVE-2026-27142 fix, with this CVE covering the meta content attribute case. The fix sanitizes whitespace in dynamic inputs before escaping.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in reflected or stored XSS in applications that render attacker-controlled data into a <meta> tag's content attribute using html/template. An attacker may be able to inject script-capable markup into the generated page, leading to execution of arbitrary JavaScript in the victim's browser within the origin of the vulnerable application. This can enable session theft, credential capture, DOM manipulation, CSRF facilitation, and other client-side compromise impacts typical of XSS.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, avoid placing untrusted or attacker-influenced data into <meta> tag content attributes where URL semantics are expected. Apply strict server-side validation and normalization to such inputs, especially rejecting or canonicalizing ASCII whitespace around '=' and other malformed attribute-like sequences before template rendering. Where feasible, remove unnecessary dynamic generation of meta content values and enforce defense-in-depth controls such as CSP, recognizing that CSP does not eliminate the underlying templating flaw.

Remediation

Patch, then assume compromise.

Upgrade to a fixed Go release that includes the html/template correction for CVE-2026-39823. The provided context indicates the issue was addressed in the Go security releases 1.26.3 and 1.25.10. The fix sanitizes ASCII whitespace in dynamic inputs to the affected attribute context prior to escaping.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GolangGoapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

go dev blogNews

Apr 22, 2026

html/template: fix bypass for CVE-2026-27142 · Issue #78913 · golang/go

An XSS vulnerability in Go's escaping logic where URLs were not correctly escaped inside a <script> tag's src attribute when ASCII whitespace was inserted around the '=' character, allowing improper escaping and potential script injection.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity10

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-39823

NVD

nvd.nist.gov/vuln/detail/CVE-2026-39823

MITRE CWE · CWE-79

Improper Neutralization of Input During Web…

Patch

go.dev/cl/769920

Vendor Advisory

pkg.go.dev/vuln/GO-2026-4982

Release Notes

groups.google.com/g/golang-announce/c/qcCIEXso47M

Issue Tracking

go.dev/issue/78913