Golang.Org/X/Net/Html
Approved changes feed: RSS · Atom
cpe:2.3:a:golang.org/x/net:golang.org/x/net/html:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Golang.Org/X/Net (f0b6a2fa-f653-50af-a622-ff3dd5eee8cd) |
|---|---|
| Product | Golang.Org/X/Net/Html (c8e1cfd9-7ccb-5f17-97c5-a9272700d40b) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-42506 |
vulnerable | 2026-06-08 08:03:16.377020 |
Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Published: 2026-05-22T15:01:21.056Z
Updated: 2026-05-22T17:45:49.989Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-42502 |
vulnerable | 2026-06-08 08:03:16.374032 |
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Published: 2026-05-22T15:01:21.649Z
Updated: 2026-05-22T17:17:20.637Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-27136 |
vulnerable | 2026-06-08 07:53:21.962768 |
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Published: 2026-05-22T15:01:22.111Z
Updated: 2026-05-22T16:59:52.807Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25681 |
vulnerable | 2026-06-08 07:53:20.187564 |
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Published: 2026-05-22T15:01:21.975Z
Updated: 2026-05-22T17:46:20.366Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25680 |
vulnerable | 2026-06-08 07:53:20.187352 |
Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
Published: 2026-05-22T15:01:21.805Z
Updated: 2026-05-22T17:00:35.395Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-58190 |
vulnerable | 2026-06-08 07:35:17.428335 |
Infinite parsing loop in golang.org/x/net
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Published: 2026-02-05T17:48:44.693Z
Updated: 2026-02-12T15:22:37.685Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-47911 |
vulnerable | 2026-06-08 07:27:15.064693 |
Quadratic parsing complexity in golang.org/x/net/html
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Published: 2026-02-05T17:48:44.562Z
Updated: 2026-02-12T15:23:55.509Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-22872 |
vulnerable | 2026-06-08 07:10:54.941001 |
Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).
Published: 2025-04-16T17:13:02.550Z
Updated: 2025-05-16T23:03:07.693Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45338 |
vulnerable | 2026-06-08 06:48:05.936450 |
Non-linear parsing of case-insensitive content in golang.org/x/net/html
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
Published: 2024-12-18T20:38:22.660Z
Updated: 2025-02-21T18:03:32.301Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-3978 |
vulnerable | 2026-06-08 06:09:40.955239 |
Improper rendering of text nodes in golang.org/x/net/html
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
Published: 2023-08-02T19:48:56.676Z
Updated: 2024-09-27T21:57:51.807Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.