golang.org/x/net v0.55.0 Security Update: Fixes CVE-2026-42505 XSS and CVE-2026-39821 Privilege Escalation

Vulnerability Summary: golang.org/x/net v0.55.0 Security Update Vulnerability Overview The Go language team has released version v0.55.0 of to address the following security vulnerabilities: 1. HTML Parser Incorrectly Handling Namespace Elements: - Issue: The HTML parser incorrectly handled certain namespace elements, potentially leading to XSS (Cross-Site Scripting) when rendering HTML. - CVE ID: CVE-2026-42505 - Go Issue Link: https://go.dev/issue/79571 2. x/net/html Failing to Reject ASCII-only Punycode Encoded Labels: - Issue: The ToASCII and ToUnicode functions incorrectly accepted Punycode encoded labels that decode to ASCII-only labels. For example, incorrectly returned the name instead of an error. - CVE ID: CVE-2026-39821 - Go Issue Link: https://go.dev/issue/78760 3. Error in idna Package Implementing UTS 46 Processing Algorithm: - Issue: The idna package implemented an error in the UTS 46 processing algorithm. Older versions of UTS 46 contained a specification error that allowed multiple ASCII labels to decode to the same Unicode label. UTS 46 revision 33 corrected this specification error. The idna package now implements the updated specification. - Impact: This behavior could lead to privilege escalation in programs using the idna package. For example, a program might perform permission checks on an ASCII hostname but allow . If the program subsequently converts the ASCII hostname to Unicode, it would inadvertently allow access to the Unicode name . - CVE ID: CVE-2026-42502 - Go Issue Link: https://go.dev/issue/79572 4. HTML Parser Incorrectly Handling HTML Elements: - Issue: The HTML parser incorrectly handled certain HTML elements, potentially leading to XSS when rendering HTML. - CVE ID: CVE-2026-42502 - Go Issue Link: https://go.dev/issue/79572 5. Denial of Service When Parsing Arbitrary HTML: - Issue: Parsing arbitrary HTML could lead to a denial of service. - CVE ID: CVE-2026-42502 - Go Issue Link: https://go.dev/issue/79572 Impact Scope HTML Parser Incorrectly Handling Namespace Elements: Could lead to XSS attacks. x/net/html Failing to Reject ASCII-only Punycode Encoded Labels: Could lead to privilege escalation. Error in idna Package Implementing UTS 46 Processing Algorithm: Could lead to privilege escalation. HTML Parser Incorrectly Handling HTML Elements: Could lead to XSS attacks. Denial of Service When Parsing Arbitrary HTML: Could lead to service unavailability. Remediation Update to v0.55.0: Upgrade to version v0.55.0 of to fix all the above security issues. Specific Fixes: - Fixed the HTML parser's handling of namespace elements. - Fixed the ToASCII and ToUnicode functions' handling of Punycode encoded labels. - Updated the idna package to comply with the UTS 46 revision 33 specification. - Fixed the HTML parser's handling of HTML elements. - Optimized performance when parsing arbitrary HTML to prevent denial of service. POC Code No specific POC code or exploit code was provided on the page.

Goal Reached Thanks to every supporter — we hit 100%!

golang.org/x/net v0.55.0 Security Update: Fixes CVE-2026-42505 XSS and CVE-2026-39821 Privilege Escalation