Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

Affected Packages

Go golang.org/x/net

Affected versions: 0 (fixed in 0.13.0)

Related CVEs

CVE-2023-3978

Key Information

GHSA ID

GHSA-2wrh-6pvc-2jm9

Published

August 2, 2023 9:30 PM

Last Modified

October 13, 2023 11:10 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

golang.org/x/net

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 18, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.