Bug 2480761 (CVE-2026-25681)

Summary: CVE-2026-25681 golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, akostadi, akoudelk, alcohan, alizardo, amasferr, amctagga, anjoseph, anpicker, ansmith, anthomas, aoconnor, bdettelb, bniver, bparees, ckandaga, cmah, crizzo, dakwon, dhanak, dkeler, dmayorov, doconnor, drosa, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, fdeutsch, flucifre, ggainey, gmeno, gparvin, groman, hasun, ibolton, jaharrin, jbalunas, jburrell, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jowilson, jpasqual, jprabhak, jpretori, jschluet, juwatts, kingland, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, lphiri, lwan, manissin, mbenjamin, mburns, mgarciac, mhackett, mhulan, mnovotny, mwringe, nboldt, ngough, nmoumoul, nyancey, oaljalju, ometelka, oramraz, osousa, pahickey, pantinor, pcreech, peholase, pgaikwad, pjindal, psrna, ptisnovs, pvasanth, rchan, rekumar, rfreiman, rhaigner, rhel-process-autobot, rjohnson, rojacob, sakbas, sausingh, sbratsla, sdawley, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, suppawar, syedriko, teagle, thason, tmalecek, tsedmik, tzivkovi, vereddy, veshanka, vkarehfa, vvoronko, watson-tool-maintainers, wenshen, whayutin, wtam, xdharmai, xiyuan, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in golang.org/x/net/html. A remote attacker could exploit this vulnerability by providing specially crafted HTML. When this arbitrary HTML is parsed and rendered, it can result in an unexpected HTML tree, bypassing input sanitization. This can be leveraged to execute Cross-Site Scripting (XSS) attacks, potentially leading to arbitrary code execution in applications that use the affected component.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2495235, 2495236, 2495237, 2495238, 2495239, 2495240, 2495241, 2495242, 2495243, 2495244, 2495245, 2495246, 2495247, 2495249, 2495250, 2495251, 2495252, 2495253, 2495254, 2495255, 2495256, 2495257, 2495258, 2495259, 2495260, 2495261, 2495262, 2495263, 2495264, 2495265, 2495266, 2495267, 2495268, 2495269, 2495270, 2495271, 2495272, 2495273, 2495274, 2495275, 2495276, 2495277, 2495278, 2495279, 2495280, 2495281, 2495282, 2495283, 2495284, 2495285, 2495286, 2495287, 2495288, 2495289, 2495290, 2495291, 2495292, 2495293, 2495294, 2495295, 2495296, 2495297, 2495298, 2495299, 2495300, 2495301, 2495302, 2495303, 2495304, 2495305, 2495306, 2495307, 2495308, 2495309, 2495310, 2495311, 2495312, 2495313, 2495314, 2495315, 2495316, 2495317, 2495319, 2495320, 2495321, 2495322, 2495323, 2495324, 2495325, 2495326, 2495327, 2495328, 2495329, 2495248, 2495318    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-22 16:01:30 UTC
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Comment 2 errata-xmlrpc 2026-07-01 18:36:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:34357 https://access.redhat.com/errata/RHSA-2026:34357

Comment 3 errata-xmlrpc 2026-07-01 19:21:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:34359 https://access.redhat.com/errata/RHSA-2026:34359