The HTML parser mishandled character references in DOCTYPE nodes, causing
them to be incorrectly rendered. This can lead to XSS when rendering parsed
HTML.
Thanks to ensy for reporting this issue.
This is CVE-2026-25681 and Go issue https://go.dev/issue/79574.
This was a PRIVATE track issue, tracked in http://b/482232977.
The HTML parser mishandled character references in DOCTYPE nodes, causing
them to be incorrectly rendered. This can lead to XSS when rendering parsed
HTML.
Thanks to ensy for reporting this issue.
This is CVE-2026-25681 and Go issue https://go.dev/issue/79574.
This was a PRIVATE track issue, tracked in http://b/482232977.