Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-03-06
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-03-06
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-12-03
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
CVSS Score
9.8
EPSS Score
0.071
Published
2024-04-10
Page 2