Bug 2480761 (CVE-2026-25681)
| Summary: | CVE-2026-25681 golang.org/x/net/html: golang.org/x/net/html: Arbitrary code execution via Cross-Site Scripting | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, abarbaro, akostadi, akoudelk, alcohan, alizardo, amasferr, amctagga, anjoseph, anpicker, ansmith, anthomas, aoconnor, bdettelb, bniver, bparees, ckandaga, cmah, crizzo, dakwon, dhanak, dkeler, dmayorov, doconnor, drosa, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, fdeutsch, flucifre, ggainey, gmeno, gparvin, groman, hasun, ibolton, jaharrin, jbalunas, jburrell, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jowilson, jpasqual, jprabhak, jpretori, jschluet, juwatts, kingland, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, lphiri, lwan, manissin, mbenjamin, mburns, mgarciac, mhackett, mhulan, mnovotny, mwringe, nboldt, ngough, nmoumoul, nyancey, oaljalju, ometelka, oramraz, osousa, pahickey, pantinor, pcreech, peholase, pgaikwad, pjindal, psrna, ptisnovs, pvasanth, rchan, rekumar, rfreiman, rhaigner, rhel-process-autobot, rjohnson, rojacob, sakbas, sausingh, sbratsla, sdawley, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, suppawar, syedriko, teagle, thason, tmalecek, tsedmik, tzivkovi, vereddy, veshanka, vkarehfa, vvoronko, watson-tool-maintainers, wenshen, whayutin, wtam, xdharmai, xiyuan, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in golang.org/x/net/html. A remote attacker could exploit this vulnerability by providing specially crafted HTML. When this arbitrary HTML is parsed and rendered, it can result in an unexpected HTML tree, bypassing input sanitization. This can be leveraged to execute Cross-Site Scripting (XSS) attacks, potentially leading to arbitrary code execution in applications that use the affected component.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2495235, 2495236, 2495237, 2495238, 2495239, 2495240, 2495241, 2495242, 2495243, 2495244, 2495245, 2495246, 2495247, 2495249, 2495250, 2495251, 2495252, 2495253, 2495254, 2495255, 2495256, 2495257, 2495258, 2495259, 2495260, 2495261, 2495262, 2495263, 2495264, 2495265, 2495266, 2495267, 2495268, 2495269, 2495270, 2495271, 2495272, 2495273, 2495274, 2495275, 2495276, 2495277, 2495278, 2495279, 2495280, 2495281, 2495282, 2495283, 2495284, 2495285, 2495286, 2495287, 2495288, 2495289, 2495290, 2495291, 2495292, 2495293, 2495294, 2495295, 2495296, 2495297, 2495298, 2495299, 2495300, 2495301, 2495302, 2495303, 2495304, 2495305, 2495306, 2495307, 2495308, 2495309, 2495310, 2495311, 2495312, 2495313, 2495314, 2495315, 2495316, 2495317, 2495319, 2495320, 2495321, 2495322, 2495323, 2495324, 2495325, 2495326, 2495327, 2495328, 2495329, 2495248, 2495318 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-05-22 16:01:30 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:34357 https://access.redhat.com/errata/RHSA-2026:34357 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:34359 https://access.redhat.com/errata/RHSA-2026:34359 |