CVE-2025-30223

Name of the Vulnerable Software and Affected Versions Beego versions prior to 2.3.6

Description Beego is an open-source web framework for the Go programming language. A Cross-Site Scripting (XSS) vulnerability exists in the RenderForm() function due to improper HTML escaping of user-controlled data. This allows attackers to inject malicious JavaScript code that executes in victims' browsers, potentially leading to session hijacking, credential theft, or account takeover. The vulnerability affects any application using Beego's RenderForm() function with user-provided data. The RenderForm() function generates an entire form markup and does not automatically escape attributes, creating a risk for injection attacks. The vulnerability is located in the renderFormField() function in templatefunc.go (around lines 316-356) where user-provided values are directly injected into HTML without proper escaping.

Recommendations Update Beego to version 2.3.6 or later.