GO-2026-5025 Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

🗓️ 22 May 2026 02:46:43Reported by GoogleType

osv

osv🔗 osv.dev👁 5 Views

2026-5025 exposes incorrect handling of namespaced elements, enabling cross site scripting.

Reporter	Title	Published	Views	Family All 1259
IBM Security Bulletins	Security Bulletin: IBM WebSphere Liberty Operator is affected by multiple vulnerabilities	24 Jun 202616:24	–	ibm
ATTACKERKB	CVE-2026-42506	22 May 202615:01	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : nerdctl (ALAS2023-2026-1788)	8 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : docker (ALAS2023-2026-1835)	12 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2026-1847)	22 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : soci-snapshotter (ALAS2023-2026-1884)	22 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : credentials-fetcher (ALAS2023-2026-1885)	22 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : runfinch-finch (ALAS2023-2026-1886)	22 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : nerdctl, --advisory ALAS2-2026-3334 (ALAS-2026-3334)	8 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : docker, --advisory ALAS2DOCKER-2026-129 (ALASDOCKER-2026-129)	12 Jun 202600:00	–	nessus

Source	Link
go	www.go.dev/issue/79571
groups	www.groups.google.com/g/golang-announce/c/iI-mYSI0lu8
go	www.go.dev/cl/781700

30 May 2026 05:14Current

6Medium risk

Vulners AI Score6

CVSS 3.16.1

EPSS0.00188

SSVC

namespaced elements foreign content cross site scripting html parsing rendering path