The CGI and FastCGI implementations in the Go standard library behave differently from the HTTP server implementation when serving content. In contrast to the documented behavior, they may return non-HTML data as HTML. This may lead to cross site scripting vulnerabilities even if uploaded data has been validated during upload. Versions 1.15 and 1.14.7 and below are affected.
3e08219d5677447756165c051aed3766da7e30f5b0c6159ccef3c81277c85c1f