VDB
DEBIAN-CVE-2026-27142
DEBIAN-CVE-2026-27142
PUBLISHED
CVSS 6.099999904632568 MEDIUM
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Risk Scores
CVSS 3.1
6.099999904632568
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | golang-1.19 | 0, 1.19.10-1, 1.19.10-2 |
| Debian:14 | golang-1.26 | 1.26.0-1, 1.26, 1.26 |
| Debian:13 | golang-1.24 | 1.24.4-4, 0, 1.24.13-2 |
| Debian:14 | golang-1.25 | 1.25.0-2, 1.25.1-1, 1.25.2-1 |
| Debian:11 | golang-1.15 | 1.15.15-1~deb11u4, 1.15.15-1~deb11u3, 1.15.15-1~deb11u2 |
Exploit Intelligence
- scan.openvex.json (github-poc)
- CHANGELOG-v1.75.2.yml (github-poc)
- meta.yaml (github-poc)
- sec-build.yaml (github-poc)
- escape.go (github-poc)
Timeline
- Mar 6, 2026 CVE Published
- Apr 28, 2026 CVE Updated