CVE-2026-27136 is a Cross-Site Scripting (XSS) vulnerability in the Go standard library package golang.org/x/net/html, triggered by invoking duplicate HTML attributes during parsing. An attacker able to influence HTML content processed by an affected Go application could inject malicious scripts into users’ browsers. This is particularly relevant to cloud-hosted Go applications and services built on Azure that rely on this library for HTML handling.

Architect’s Take: Audit your Azure-hosted Go applications and container images for use of golang.org/x/net/html and update to the patched version immediately; also review your software composition analysis (SCA) tooling to ensure this transitive dependency is flagged across all pipelines.

Original advisory: CVE-2026-27136 Invoking duplicate attributes can cause XSS in golang.org/x/net/html

CVE-2026-42506 is a vulnerability in the golang.org/x/net/html package where namespaced elements in foreign content (such as SVG or MathML within HTML) are handled incorrectly, potentially allowing malformed input to bypass parsing expectations. This could be exploited to conduct cross-site scripting (XSS) or HTML injection attacks in applications that rely on this Go library for HTML parsing or sanitisation. It is particularly relevant to Azure-hosted Go applications and services that process user-supplied HTML content.

Architect’s Take: Audit your Azure workloads and container images for any Go applications using golang.org/x/net/html and update to the patched version of the package immediately. Pay particular attention to services that parse or sanitise untrusted HTML input, as these are at greatest risk of exploitation.

Original advisory: CVE-2026-42506 Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html