CVE-2026-42554

Name of the Vulnerable Software and Affected Versions Fiber versions prior to 2.52.12 Fiber versions prior to 3.1.0

Description A Cross-Site Scripting issue exists in the Go Fiber web framework. A remote attacker can inject arbitrary HTML or JavaScript by providing an Accept: text/html header in a request where the handler passes attacker-influenced data to the AutoFormat() feature. While other formats like JSON, XML, MsgPack, and CBOR use encoders that neutralize markup, the HTML branch in the AutoFormat() function (and Format() in version 2) concatenates the data directly into HTML markup without output encoding. This occurs because the framework selects the response format based on the attacker-controlled Accept header, allowing the attacker to force the execution of the unescaped HTML branch.

Recommendations Update to version 2.52.12 or later. Update to version 3.1.0 or later. As a temporary workaround, avoid using the AutoFormat() function or the Format() function when handling data that can be influenced by users.