GO-2026-4603 URLs in meta content attribute actions are not escaped in html/template

🗓️ 06 Mar 2026 21:03:42Reported by GoogleType

osv🔗 osv.dev👁 1 Views

Go bug: URLs in meta content are not escaped, risking XSS with http-equiv refresh; GODEBUG htmlmetacontenturlescape controls this.

Reporter	Title	Published	Views	Family All 1242
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to loss of confidentiality, denial of service and cross-site scripting	6 May 202613:02	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition	12 Jun 202611:10	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images	19 Jun 202608:05	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to cross-site-scripting in golang Go html/template [CVE-2026-27142]	21 May 202615:34	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Quantum Safe Remediator is affected by multiple vulnerabilities	5 May 202615:14	–	ibm
FreeBSD	www/gohugo -- CWE-79: XSS vulnerabilities	7 May 202600:00	–	freebsd
ATTACKERKB	CVE-2026-27142	6 Mar 202621:28	–	attackerkb
ATTACKERKB	CVE-2026-39823	7 May 202619:41	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2026-1482)	30 Mar 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : credentials-fetcher (ALAS2023-2026-1501)	1 Apr 202600:00	–	nessus