Bug 2480759 (CVE-2026-42506)

Summary: CVE-2026-42506 golang.org/x/net/html: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, akostadi, akoudelk, alcohan, alizardo, amasferr, amctagga, anjoseph, anpicker, ansmith, anthomas, aoconnor, aruklets, bdettelb, bniver, bparees, ckandaga, cmah, crizzo, dakwon, dhanak, dkeler, dmayorov, doconnor, drosa, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, fdeutsch, flucifre, ggainey, gmeno, gparvin, groman, hasun, ibolton, jaharrin, jbalunas, jbritton, jburrell, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jowilson, jpasqual, jprabhak, jpretori, jschluet, juwatts, kingland, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, lphiri, lwan, manissin, mbenjamin, mburns, mgarciac, mhackett, mhulan, mnovotny, mwringe, nboldt, ngough, nmoumoul, nyancey, oaljalju, ometelka, oramraz, osousa, pahickey, pantinor, pcreech, peholase, pgaikwad, pjindal, psrna, ptisnovs, pvasanth, rchan, rekumar, rfreiman, rhaigner, rhel-process-autobot, rjohnson, rojacob, sakbas, sausingh, sbratsla, sdawley, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, suppawar, syedriko, teagle, thason, tmalecek, tsedmik, tzivkovi, vereddy, veshanka, vkarehfa, vvoronko, watson-tool-maintainers, wenshen, whayutin, wtam, xdharmai, xiyuan, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in golang.org/x/net/html. When parsing arbitrary HTML that is subsequently rendered, an unexpected HTML tree can be generated. A remote attacker could leverage this vulnerability to execute Cross-Site Scripting (XSS) attacks in applications that attempt to sanitize input HTML before rendering, potentially leading to unauthorized actions or information disclosure.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2494606, 2494607, 2494608, 2494609, 2494611, 2494612, 2494613, 2494614, 2494616, 2494617, 2494618, 2494619, 2494620, 2494621, 2494622, 2494623, 2494624, 2494610, 2494615    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-22 16:01:25 UTC
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.