Go html/template Fix for CVE-2026-27142 Contains New Bypass Vector, Assigned CVE-2026-39823

Security researchers have identified a critical bypass in the patch for CVE-2026-27142 affecting Go's html/template package. The original vulnerability, which addressed template injection risks, can be circumvented when trusted template authors construct templates containing whitespace characters positioned between the `url` keyword and the assignment operator `=`. This new bypass vector has been assigned CVE-2026-39823 and is classified as a public-track vulnerability, meaning disclosure and remediation timelines follow standard coordinated vulnerability disclosure protocols.

The flaw specifically targets template authoring patterns where spaces, tabs, or other whitespace characters appear in template syntax following `url` but before the `=` sign. Such constructions could potentially allow attackers to craft inputs that evade the original CVE-2026-27142 fix. The vulnerability affects applications that process user-controlled template content or rely on third-party template authors operating within a supposedly trusted environment. Go developers using html/template for rendering user-supplied content face the highest exposure.

Organizations running Go applications that utilize html/template should audit their template code for whitespace patterns in URL-related template directives. The Go security team has flagged this as a public vulnerability, indicating that patches or mitigation guidance may be forthcoming through standard channels. Development teams should monitor go.dev security advisories and consider implementing input validation layers around template rendering as a temporary safeguard while awaiting an official patch for CVE-2026-39823.