CVE-2026-25681 is a vulnerability in the Go standard library package golang.org/x/net/html, where character references within DOCTYPE nodes are handled incorrectly. This can lead to unexpected parsing behaviour that may be exploited to bypass security controls or cause application-level issues in services built with Go. It is relevant to Azure and any cloud-hosted workload using this widely adopted Go HTML parsing library.

Architect’s Take: Audit your Azure-hosted Go applications and container images for dependencies on golang.org/x/net/html and update to the patched version as soon as it is available. Pay particular attention to services that parse untrusted HTML input, as these carry the highest exploitation risk.

Original advisory: CVE-2026-25681 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

CVE-2026-25680 is a denial-of-service vulnerability in the golang.org/x/net/html package, which is widely used by Go applications to parse HTML. An attacker can trigger the flaw by supplying specially crafted HTML input, causing the parser to consume excessive resources and crash or become unresponsive. Any Azure-hosted or Azure-integrated Go application that processes untrusted HTML content may be at risk.

Architect’s Take: Audit your Go-based workloads and container images for dependencies on golang.org/x/net and update to the patched version immediately; pay particular attention to internet-facing services that accept user-supplied or third-party HTML input, as these are the most directly exposed.

Original advisory: CVE-2026-25680 Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

CVE-2026-42502 is a vulnerability in the golang.org/x/net/html package affecting how HTML elements in foreign content (such as SVG or MathML) are handled. Incorrect parsing behaviour could potentially be exploited to bypass security controls or cause unintended application behaviour in Go-based services. This is relevant to Azure workloads and any cloud-hosted applications built with Go that rely on this HTML parsing library.

Architect’s Take: Audit your Azure-hosted Go applications and container images for dependencies on golang.org/x/net/html and update to the patched version immediately. Pay particular attention to services that parse or render user-supplied HTML, as these carry the highest risk of exploitation.

Original advisory: CVE-2026-42502 Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html