- CVE-2026-27142: fix missing escaping of URLs in meta tag content attributes in html/template by tracking the url= portion of the content attribute and applying URL escaping (prerequisite for CVE-2026-39823) - CVE-2026-39826: fix escaper bypass in html/template by treating script type attributes that are empty or whitespace-only as JavaScript - CVE-2026-39825: fix query parameter smuggling in net/http/httputil ReverseProxy by reencoding outbound queries that exceed the urlmaxqueryparams limit so Rewrite hooks cannot be bypassed - CVE-2026-39819: fix 'go bug' writing files with predictable names in the system temporary directory by creating a private directory with os.MkdirTemp, preventing symlink-based file overwrite - CVE-2026-39817: fix 'go tool pack' extracting archive entries to arbitrary filesystem locations by refusing to extract files with directory components - CVE-2026-39823: fix XSS in html/template where ASCII whitespace around the '=' rune in a meta tag content attribute URL bypassed URL escaping