CVE-2026-42554

UNKNOWN 0.0

Fiber: XSS in AutoFormat Content Negotiation

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply." This vulnerability is fixed in 2.52.12 and 3.1.0.

CWE	CWE-79
Vendor	gofiber
Product	fiber
Published	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for gofiber fiber

Be the first to know when new unknown vulnerabilities affecting gofiber fiber are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

gofiber / fiber

< 2.52.13 >= 3.0.0-beta.2, < 3.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjv