GO-2026-5029 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

🗓️ 22 May 2026 02:46:43Reported by GoogleType

osv

osv🔗 osv.dev👁 10 Views

Incorrect handling of character references in DOCTYPE nodes creates HTML trees enabling XSS.

Reporter	Title	Published	Views	Family All 1258
IBM Security Bulletins	Security Bulletin: IBM WebSphere Liberty Operator is affected by multiple vulnerabilities	24 Jun 202616:24	–	ibm
ATTACKERKB	CVE-2026-25681	22 May 202615:01	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : nerdctl (ALAS2023-2026-1788)	8 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : docker (ALAS2023-2026-1835)	12 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2026-1847)	22 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : soci-snapshotter (ALAS2023-2026-1884)	22 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : credentials-fetcher (ALAS2023-2026-1885)	22 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : runfinch-finch (ALAS2023-2026-1886)	22 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : nerdctl, --advisory ALAS2-2026-3334 (ALAS-2026-3334)	8 Jun 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : docker, --advisory ALAS2DOCKER-2026-129 (ALASDOCKER-2026-129)	12 Jun 202600:00	–	nessus

Source	Link
go	www.go.dev/issue/79574
groups	www.groups.google.com/g/golang-announce/c/iI-mYSI0lu8
go	www.go.dev/cl/781703

30 May 2026 05:14Current

6Medium risk

Vulners AI Score6

CVSS 3.16.1

EPSS0.00178

SSVC

Go language html parser doctype handling character references cross site scripting security risk