Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Unescaped URLs in Meta Tags Can Allow Cross-Site Scripting
CVE-2026-27142
BIT-golang-2026-27142
Summary
A security issue exists in certain actions that insert URLs into HTML meta tags, which could allow malicious scripts to run. This affects users who perform these actions and have an http-equiv attribute with 'refresh' set. To mitigate this risk, you can set the htmlmetacontenturlescape setting to 0 in your GODEBUG settings.
What to do
- Update stdlib to version 1.26.1.
- Update golang to version 1.26.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | stdlib | > 1.26.0-0 , <= 1.26.1 | 1.26.1 |
| – | golang | > 1.26.0-0 , <= 1.26.1 | 1.26.1 |
Original title
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG s...
Original description
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026