Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Unescaped URLs in Meta Tags Can Cause Cross-Site Scripting
DEBIAN-CVE-2026-27142
Summary
If a website uses a meta tag with an http-equiv attribute set to 'refresh' and inserts a URL into the content attribute without proper escaping, attackers can inject malicious code. This can be mitigated by setting a new debugging flag called htmlmetacontenturlescape to 0, but it's recommended to update your software instead.
What to do
- Update debian golang-1.25 to version 1.25.8-1.
- Update debian golang-1.26 to version 1.26.1-1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | golang-1.15 | All versions | – |
| debian | golang-1.19 | All versions | – |
| debian | golang-1.24 | All versions | – |
| debian | golang-1.24 | All versions | – |
| debian | golang-1.25 | <= 1.25.8-1 | 1.25.8-1 |
| debian | golang-1.26 | <= 1.26.1-1 | 1.26.1-1 |
Original title
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG s...
Original description
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
- https://security-tracker.debian.org/tracker/CVE-2026-27142 Vendor Advisory
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026