Skip to content

chore(deps): update module golang.org/x/net to v0.55.0 [security] (v1.7)#193

Merged
mergify[bot] merged 1 commit into
v1.7from
renovate/v1.7-go-golang.org-x-net-vulnerability
Jun 26, 2026
Merged

chore(deps): update module golang.org/x/net to v0.55.0 [security] (v1.7)#193
mergify[bot] merged 1 commit into
v1.7from
renovate/v1.7-go-golang.org-x-net-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
golang.org/x/net v0.54.0v0.55.0 age confidence

Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

CVE-2026-42506 / GO-2026-5025

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

CVE-2026-39821 / GO-2026-5026

More information

Details

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

CVE-2026-42502 / GO-2026-5027

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

CVE-2026-25680 / GO-2026-5028

More information

Details

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

CVE-2026-25681 / GO-2026-5029

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Invoking duplicate attributes can cause XSS in golang.org/x/net/html

CVE-2026-27136 / GO-2026-5030

More information

Details

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Configuration

📅 Schedule: (in timezone Asia/Taipei)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot force-pushed the renovate/v1.7-go-golang.org-x-net-vulnerability branch from d08963e to 2bc23eb Compare June 26, 2026 08:15
@mergify

mergify Bot commented Jun 26, 2026

Copy link
Copy Markdown

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@mergify mergify Bot merged commit 813e926 into v1.7 Jun 26, 2026
7 checks passed
@mergify mergify Bot deleted the renovate/v1.7-go-golang.org-x-net-vulnerability branch June 26, 2026 08:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants