Bug 2480759 (CVE-2026-42506) - CVE-2026-42506 golang.org/x/net/html: golang.org/x/net/html: Cross-Site Scripting (XSS) via arbitrary HTML parsing
Summary: CVE-2026-42506 golang.org/x/net/html: golang.org/x/net/html: Cross-Site Scrip...
Keywords:
Status: NEW
Alias: CVE-2026-42506
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2494606 2494607 2494608 2494609 2494611 2494612 2494613 2494614 2494616 2494617 2494618 2494619 2494620 2494621 2494622 2494623 2494624 2494610 2494615
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-22 16:01 UTC by OSIDB Bzimport
Modified: 2026-07-02 20:47 UTC (History)
138 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-22 16:01:25 UTC
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.


Note You need to log in before you can comment on or make changes to this bug.