Skip to content

fix(security): require Go 1.26.4 to patch html/template XSS#21

Merged
lex0c merged 1 commit into
mainfrom
ci/sec-pipeline-prod-build
Jun 28, 2026
Merged

fix(security): require Go 1.26.4 to patch html/template XSS#21
lex0c merged 1 commit into
mainfrom
ci/sec-pipeline-prod-build

Conversation

@lex0c

@lex0c lex0c commented Jun 28, 2026

Copy link
Copy Markdown
Owner

The new govulncheck gate flagged the go.mod go 1.26.1 directive: that toolchain's html/template has three reachable escaper-bypass XSS bugs (GO-2026-4865, GO-2026-4980, GO-2026-4982), fixed in 1.26.2/1.26.3.

This is reachable in prod, not just CI noise: gitcortex report renders git data into HTML via html/template (report.GenerateProfile -> template.Execute), so release binaries built on 1.26.1 shipped the vulnerable escaper. Bumping the directive makes setup-go install a patched toolchain everywhere (go-version-file: go.mod) and turns the govulncheck gate green.

The new govulncheck gate flagged the go.mod `go 1.26.1` directive: that
toolchain's html/template has three reachable escaper-bypass XSS bugs
(GO-2026-4865, GO-2026-4980, GO-2026-4982), fixed in 1.26.2/1.26.3.

This is reachable in prod, not just CI noise: `gitcortex report` renders
git data into HTML via html/template (report.GenerateProfile ->
template.Execute), so release binaries built on 1.26.1 shipped the
vulnerable escaper. Bumping the directive makes setup-go install a
patched toolchain everywhere (go-version-file: go.mod) and turns the
govulncheck gate green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@lex0c lex0c merged commit 9fa7843 into main Jun 28, 2026
4 checks passed
@lex0c lex0c deleted the ci/sec-pipeline-prod-build branch June 28, 2026 02:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant