CVE-2026-27136
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
6.1
MEDIUM
CVSS 3.1
EPSS 0.03%
Description
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
How to fix CVE-2026-27136
To remediate CVE-2026-27136, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 0.55.0 or later
Is CVE-2026-27136 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- from 0, < 0.55.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |