CVE-2023-3978

MEDIUM6.1EPSS 0.10%

Improper rendering of text nodes in golang.org/x/net/html

Published: 8/2/2023Modified: 2/4/2026

Also known as:GHSA-2wrh-6pvc-2jm9CGA-gr29-97p2-2w3cDEBIAN-CVE-2023-3978GO-2023-1988

Description

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

Affected packages (3)

Debian/golang-golang-x-netfrom 0
Go/golang.org/x/netfrom 0, < 0.13.0
Go/golang.org/x/netfrom 0, < 0.13.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-3978
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-3978
WEBhttps://go.dev/cl/514896
WEBhttps://go.dev/issue/61615
WEBhttps://pkg.go.dev/vuln/GO-2023-1988