We have implemented KrakenD and I must say that I am very impressed how easy the installation and configuration process has been. The documentation is one of the best I have ever seen.
Märt Suga
Software Architect / Single.Earth
CVE-2026-27136
Medium
False Positivegolang.org/x/net/html to parse or
render HTML content from user requests. The vulnerable HTML parsing code path is
never invoked during KrakenD operation.Addressed through routine dependency maintenance in CE 2.13.6 and EE 2.13.4.
Component
golang.org/x/net (html)
Disclosed
May 26, 2026
golang.org/x/net/html package incorrectly handles elements with duplicate
attributes, causing mis-parsing of the HTML structure and potentially enabling
cross-site scripting in applications that sanitize HTML using this package.Stay up to date with KrakenD releases and important updates