CVE-2026-25680

🗓️ 22 May 2026 15:01:21Reported by GoType

Denial of service risk from parsing arbitrary HTML in golang.org/x/net/html due to excessive CPU usage.

Reporter	Title	Published	Views	Family All 1098
ATTACKERKB	CVE-2026-25680	22 May 202615:01	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : nerdctl (ALAS2023-2026-1788)	8 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : docker (ALAS2023-2026-1835)	12 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : nerdctl, --advisory ALAS2-2026-3334 (ALAS-2026-3334)	8 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : docker, --advisory ALAS2DOCKER-2026-129 (ALASDOCKER-2026-129)	12 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : docker, --advisory ALAS2NITRO-ENCLAVES-2026-110 (ALASNITRO-ENCLAVES-2026-110)	12 Jun 202600:00	–	nessus
Tenable Nessus	Azure Linux 3.0 Security Update: CBL-Mariner Releases (CVE-2026-25680)	2 Jun 202600:00	–	nessus
Tenable Nessus	openSUSE 16 Security Update : trivy (openSUSE-SU-2026:20956-1)	17 Jun 202600:00	–	nessus
Tenable Nessus	openSUSE 16 Security Update : neonmodem (openSUSE-SU-2026:20963-1)	17 Jun 202600:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2026-25680	27 May 202600:00	–	nessus

NVD

Node

golang netRange<0.55.0go

[
  {
    "vendor": "golang.org/x/net",
    "product": "golang.org/x/net/html",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "golang.org/x/net/html",
    "versions": [
      {
        "version": "0",
        "lessThan": "0.55.0",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "parser.parse"
      },
      {
        "name": "Parse"
      },
      {
        "name": "ParseFragment"
      },
      {
        "name": "ParseFragmentWithOptions"
      },
      {
        "name": "ParseWithOptions"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
go	www.go.dev/cl/781702
groups	www.groups.google.com/g/golang-announce/c/iI-mYSI0lu8
go	www.go.dev/issue/79573
pkg	www.pkg.go.dev/vuln/GO-2026-5028

17 Jun 2026 10:25Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.16.5

EPSS0.0034

SSVC

CWE-400