CVE-2026-39823
Published: May 13, 2026Last modified: May 16, 2026
Description
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.1 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | REQUIRED |
| Scope | CHANGED |
| Confidentiality | LOW |
| Integrity impact | LOW |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | go | Fixed (1.25.10-r0) |
| 25 LTS | go | Fixed (1.25.10-r0) | |
| Stream | go | Fixed (1.26.3-r0) | |
| Hardened Containers | 23 LTS | go | Fixed (1.25.10-r0) |
| 25 LTS | go | Fixed (1.25.10-r0) | |
| Stream | go | Fixed (1.26.3-r0) |