CVE-2026-27142

Public on 2026-03-06
Modified on 2026-03-12
Description
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
6.1
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core amazon-cloudwatch-agent 2026-04-14 ALAS2-2026-3248 Fixed
Amazon Linux 2023 amazon-cloudwatch-agent 2026-04-13 ALAS2023-2026-1572 Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra amazon-ecr-credential-helper 2026-04-14 ALAS2NITRO-ENCLAVES-2026-095 Fixed
Amazon Linux 2 - Docker Extra amazon-ecr-credential-helper 2026-04-14 ALAS2DOCKER-2026-109 Fixed
Amazon Linux 2 - Ecs Extra amazon-ecr-credential-helper 2026-04-14 ALAS2ECS-2026-103 Fixed
Amazon Linux 2023 amazon-ecr-credential-helper 2026-04-13 ALAS2023-2026-1574 Fixed
Amazon Linux 2 - Core cni-plugins Pending Fix
Amazon Linux 2023 cni-plugins Pending Fix
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra containerd 2026-02-19 ALAS2NITRO-ENCLAVES-2026-092 Fixed
Amazon Linux 2 - Docker Extra containerd 2026-04-14 ALAS2DOCKER-2026-104 Fixed
Amazon Linux 2 - Ecs Extra containerd 2026-04-14 ALAS2ECS-2026-102 Fixed
Amazon Linux 2023 containerd 2026-04-13 ALAS2023-2026-1534 Fixed
Amazon Linux 2023 credentials-fetcher 2026-04-01 ALAS2023-2026-1501 Fixed
Amazon Linux 2 - Core cri-tools Pending Fix
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra docker 2026-04-14 ALAS2NITRO-ENCLAVES-2026-094 Fixed
Amazon Linux 2 - Docker Extra docker 2026-04-14 ALAS2DOCKER-2026-108 Fixed
Amazon Linux 2 - Ecs Extra docker 2026-04-14 ALAS2ECS-2026-106 Fixed
Amazon Linux 2023 docker 2026-04-13 ALAS2023-2026-1571 Fixed
Amazon Linux 2 - Ecs Extra ecs-init 2026-04-14 ALAS2ECS-2026-101 Fixed
Amazon Linux 2023 ecs-init 2026-04-13 ALAS2023-2026-1552 Fixed
Amazon Linux 2 - Core golang 2026-03-19 ALAS2-2026-3203 Fixed
Amazon Linux 2023 golang 2026-03-27 ALAS2023-2026-1482 Fixed
Amazon Linux 2 - Core golang-github-cpuguy83-go-md2man Not Affected
Amazon Linux 2 - Core golist 2026-03-19 ALAS2-2026-3202 Fixed
Amazon Linux 2023 golist 2026-04-01 ALAS2023-2026-1513 Fixed
Amazon Linux 2023 libcap Pending Fix
Amazon Linux 2 - Core nerdctl 2026-04-14 ALAS2-2026-3229 Fixed
Amazon Linux 2023 nerdctl 2026-04-13 ALAS2023-2026-1535 Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra oci-add-hooks 2026-04-14 ALAS2NITRO-ENCLAVES-2026-096 Fixed
Amazon Linux 2 - Docker Extra oci-add-hooks 2026-04-14 ALAS2DOCKER-2026-110 Fixed
Amazon Linux 2 - Ecs Extra oci-add-hooks 2026-04-14 ALAS2ECS-2026-104 Fixed
Amazon Linux 2023 oci-add-hooks 2026-04-13 ALAS2023-2026-1575 Fixed
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra runc 2026-04-14 ALAS2NITRO-ENCLAVES-2026-093 Fixed
Amazon Linux 2 - Docker Extra runc 2026-04-14 ALAS2DOCKER-2026-105 Fixed
Amazon Linux 2 - Ecs Extra runc 2026-04-14 ALAS2ECS-2026-105 Fixed
Amazon Linux 2023 runc 2026-04-13 ALAS2023-2026-1541 Fixed
Amazon Linux 2 - Docker Extra runfinch-finch 2026-02-19 ALAS2DOCKER-2026-103 Fixed
Amazon Linux 2023 runfinch-finch 2026-04-01 ALAS2023-2026-1507 Fixed
Amazon Linux 2 - Docker Extra soci-snapshotter 2026-04-14 ALAS2DOCKER-2026-107 Fixed
Amazon Linux 2023 soci-snapshotter 2026-04-13 ALAS2023-2026-1573 Fixed
Amazon Linux 2023 yq 2026-04-13 ALAS2023-2026-1582 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2026-27142 Mitre: CVE-2026-27142