CVE-2026-25681 is a vulnerability in the Go standard library package golang.org/x/net/html, where character references within DOCTYPE nodes are handled incorrectly. This can lead to malformed HTML parsing behaviour, potentially enabling injection or bypass attacks in applications that rely on this library for HTML processing. Any Azure services or workloads built with affected versions of the Go net/html package may be exposed.

Security Architect’s Take: Audit your Go-based services and container images for dependencies on golang.org/x/net/html and update to the patched version as soon as it is available. Pay particular attention to internal tooling, API gateways, or microservices that parse untrusted HTML input, as these represent the highest risk surface.

Original advisory: CVE-2026-25681 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html