CVE-2026-42506: Go x/net/html Namespace Parsing Flaw

🟠 High  |  Source: Microsoft Security Response Center

CVE-2026-42506 is a vulnerability in the golang.org/x/net/html package where namespaced elements in foreign content (such as SVG or MathML within HTML) are handled incorrectly, potentially allowing malformed input to bypass parsing expectations. This could be exploited to conduct cross-site scripting (XSS) or HTML injection attacks in applications that rely on this Go library for HTML parsing or sanitisation. It is particularly relevant to Azure-hosted Go applications and services that process user-supplied HTML content.

Architect’s Take: Audit your Azure workloads and container images for any Go applications using golang.org/x/net/html and update to the patched version of the package immediately. Pay particular attention to services that parse or sanitise untrusted HTML input, as these are at greatest risk of exploitation.

Original advisory: CVE-2026-42506 Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html