CVE-2026-27142

Name	CVE-2026-27142
Description	Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-1.15 (PTS)	bullseye	1.15.15-1~deb11u4	vulnerable
golang-1.19 (PTS)	bookworm	1.19.8-2	vulnerable
golang-1.24 (PTS)	trixie	1.24.4-1	vulnerable
	forky, sid	1.24.13-2	vulnerable
golang-1.25 (PTS)	forky, sid	1.25.8-1	fixed
golang-1.26 (PTS)	forky, sid	1.26.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
golang-1.15	source	(unstable)	(unfixed)
golang-1.19	source	(unstable)	(unfixed)
golang-1.24	source	(unstable)	(unfixed)
golang-1.25	source	(unstable)	1.25.8-1
golang-1.26	source	(unstable)	1.26.1-1

Notes

[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
https://github.com/golang/go/issues/77954
Fixed by: https://github.com/golang/go/commit/994692847a2cd3efd319f0cb61a07c0012c8a4ff (go1.26.1)
Fixed by: https://github.com/golang/go/commit/a9db31e6d9f280418ce441067f3f9dc0a036e770 (go1.25.8)