Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Unescaped URLs in Meta Tags Allow Cross-Site Scripting
UBUNTU-CVE-2026-27142
Summary
Some actions that add URLs to HTML meta tags do not protect against malicious code. This can lead to security risks if an attacker can trick users into visiting a specially crafted webpage. To fix this, update your actions to use the new htmlmetacontenturlescape setting to prevent unescaped URLs.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| canonical | golang-1.24 | All versions | – |
| canonical | golang-1.25 | All versions | – |
Original title
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG s...
Original description
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
- https://ubuntu.com/security/CVE-2026-27142 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-27142 Third Party Advisory
- https://github.com/golang/go/issues/77954 Third Party Advisory
- https://go.dev/cl/752081 Third Party Advisory
- https://go.dev/issue/77954 Third Party Advisory
- https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk Third Party Advisory
- https://pkg.go.dev/vuln/GO-2026-4603 Third Party Advisory
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026