CVE-2026-25680 is a denial-of-service vulnerability in the Go standard library package golang.org/x/net/html, triggered by parsing maliciously crafted HTML. An attacker could exploit this to crash or hang services that process arbitrary HTML input. This is particularly relevant to Azure-hosted Go applications and any managed services or pipelines built on the affected package.

Security Architect’s Take: Audit your Azure workloads and container images for any Go applications that import golang.org/x/net/html and process untrusted HTML input — patch to the fixed version of golang.org/x/net immediately and enforce dependency scanning in your CI/CD pipelines to catch similar library-level issues going forward.

Original advisory: CVE-2026-25680 Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html