#VU124117 Cross-site scripting in Go programming language - CVE-2026-27142
Published: March 19, 2026
Vulnerability identifier: #VU124117
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-27142
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Go programming language
Go programming language
Software vendor:
Google
Description
The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser via cross-site scripting (XSS).
The vulnerability exists due to improper output neutralization in html/template when inserting URLs into the content attribute of HTML meta tags with an http-equiv="refresh" attribute. A remote attacker can craft a URL that is not properly escaped, leading to script execution when the page is rendered.
Exploitation requires user interaction, as the victim must load the malicious page. This vulnerability affects applications using the html/template package to generate such meta tags.
Remediation
Install security update from vendor's website.