{"id":"GO-2026-4441","summary":"Infinite parsing loop in golang.org/x/net","details":"The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.","aliases":["CVE-2025-58190"],"modified":"2026-05-15T10:59:06.038406270Z","published":"2026-02-05T17:23:17Z","related":["CGA-676m-cmwh-7rgc","RHSA-2026:7291","RHSA-2026:7385"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4441","review_status":"REVIEWED"},"references":[{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c"},{"type":"REPORT","url":"https://github.com/golang/vulndb/issues/4441"},{"type":"FIX","url":"https://go.dev/cl/709875"}],"affected":[{"package":{"name":"golang.org/x/net","ecosystem":"Go","purl":"pkg:golang/golang.org/x/net"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.45.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Parse","ParseFragment","ParseFragmentWithOptions","ParseWithOptions","inRowIM"],"path":"golang.org/x/net/html"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4441.json"}}],"schema_version":"1.7.5","credits":[{"name":"Guido Vranken"}]}