Flexibility, performance and robustness are defining KrakenD just to name a few, we were able to quickly and easily build a robust gateway for our systems and we keep enjoying it everyday.
Samy Lastmann
CTO / Smart Tribune
CVE-2026-25681
Medium
False Positivegolang.org/x/net/html to parse or
render HTML content from user requests. The vulnerable HTML parsing code path is
never invoked during KrakenD operation.Addressed through routine dependency maintenance in CE 2.13.6 and EE 2.13.4.
Component
golang.org/x/net (html)
Disclosed
May 26, 2026
golang.org/x/net/html package incorrectly handles character references
within DOCTYPE nodes, potentially allowing cross-site scripting through malformed
DOCTYPE declarations in parsed HTML content.Stay up to date with KrakenD releases and important updates