anonhaven
Ad

CVE-2026-27142

NONE
Updated Mar 06, 2026
Meta
Parameter Value
Vendor Meta
Public PoC No

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

References 4

https://go.dev/cl/752081
security@golang.org
https://go.dev/issue/77954
security@golang.org
https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
security@golang.org
https://pkg.go.dev/vuln/GO-2026-4603
security@golang.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2025-14675

Meta

7.2

CVE-2026-29110

Meta

2.2

CVE-2026-2593

Meta

6.4

CVE-2026-2893

Meta

6.5

CVE-2026-2356

Meta

5.3