Security Advisory

CVE-2026-27142

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-06 21:28:14

Last updated 2026-03-16 15:21:14

Assigner Go

State PUBLISHED

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

← Browse all CVEs View on cve.org ↗