Description
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
Published: 2026-04-08
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting (XSS) in JavaScript contexts
Action: Patch Now
AI Analysis

Impact

An error in the Go standard library’s html/template package caused context tracking to fail across conditional branches and inside JavaScript template literals, resulting in improper escaping of user-supplied data. This allows an attacker to inject malicious scripts into page content, leading to client-side code execution. The vulnerability is identified as a Cross‑Site Scripting flaw (CWE-79).

Affected Systems

Any Go application that uses the standard library’s html/template package to render JavaScript template literals is potentially affected. The advisory does not list specific Go versions, so users should verify whether their runtime precedes the release that introduced the fix and upgrade accordingly.

Risk and Exploitability

The vulnerability carries a CVSS 6.1 score, indicating a moderate impact. EPSS is reported at less than 1%, suggesting a low likelihood of widespread exploitation, and it is not listed in the CISA KEV catalog. Attackers would need to supply crafted template input that the application processes, exploiting the broken brace‑depth tracking to bypass escaping in a JS literal. Successful exploitation could lead to arbitrary script execution in users’ browsers, compromising confidentiality, integrity, and availability of the affected web service.

Generated by OpenCVE AI on April 13, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Go release that includes the fix for html/template.
  • If an upgrade is not possible immediately, avoid rendering user data within JavaScript template literals; use standard data slots or manually escape content in JS contexts.
  • Verify that your application’s templates are free from unclosed conditional branches and that all brace depth handling is correct.

Generated by OpenCVE AI on April 13, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116
CWE-79

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library html/template
Vendors & Products Go Standard Library
Go Standard Library html/template

Wed, 08 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
Title JsBraceDepth Context Tracking Bugs (XSS) in html/template
References

Subscriptions

Go Standard Library Html/template
Golang Go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-13T18:20:46.377Z

Reserved: 2026-03-11T16:38:46.557Z

Link: CVE-2026-32289

cve-icon Vulnrichment

Updated: 2026-04-13T17:48:19.317Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T02:16:03.820

Modified: 2026-04-16T19:06:57.367

Link: CVE-2026-32289

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-08T01:06:56Z

Links: CVE-2026-32289 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:20Z

Weaknesses