Bug 2467811 (CVE-2026-39823)

Summary: CVE-2026-39823 html/template: golang: Go html/template: Cross-Site Scripting via improper URL escaping in meta tag content
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, akostadi, akoudelk, alcohan, alizardo, amasferr, amctagga, anjoseph, anpicker, ansmith, anthomas, aoconnor, bbrownin, bdettelb, bniver, bparees, ckandaga, cmah, crizzo, dakwon, dhanak, dkeler, dmayorov, doconnor, drosa, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, fdeutsch, flucifre, ggainey, gmeno, gparvin, groman, hasun, ibolton, jaharrin, jbalunas, jburrell, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jowilson, jpasqual, jprabhak, jpretori, jschluet, juwatts, kingland, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, lphiri, lwan, manissin, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhess, mhulan, mnovotny, mwringe, nboldt, ngough, nmoumoul, nyancey, oaljalju, ometelka, oramraz, osousa, pahickey, pantinor, pcreech, peholase, pgaikwad, pjindal, psrna, ptisnovs, pvasanth, rchan, rekumar, rfreiman, rhaigner, rhel-process-autobot, rjohnson, rojacob, sakbas, sausingh, sbratsla, sdawley, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, suppawar, syedriko, teagle, thason, tmalecek, tsedmik, tzivkovi, vereddy, veshanka, vkarehfa, vle, vvoronko, vwilson, watson-tool-maintainers, wenshen, whayutin, wtam, xdharmai, xiyuan, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the `html/template` package of Go. A remote attacker could exploit this vulnerability by inserting ASCII whitespaces around the equals sign (`=`) within a URL's content attribute inside a `<meta>` tag. This improper escaping could lead to Cross-Site Scripting (XSS), allowing the attacker to execute malicious scripts in the user's browser.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-07 20:01:21 UTC
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS.

Comment 2 errata-xmlrpc 2026-06-01 00:43:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:22120 https://access.redhat.com/errata/RHSA-2026:22120

Comment 3 errata-xmlrpc 2026-06-01 01:00:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:22121 https://access.redhat.com/errata/RHSA-2026:22121

Comment 4 errata-xmlrpc 2026-06-01 01:04:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:22112 https://access.redhat.com/errata/RHSA-2026:22112