CVE-2026-39826 - Vulnerability Details

- Escaper bypass leads to XSS in html/template

Description

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

Published: 2026-05-07

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Go standard library html/template package is intended to escape data injected into templates so that HTML, CSS, and JavaScript contexts remain safe. When a trusted template author writes a <script> tag with an empty or whitespace‑only "type" attribute, the rendering logic incorrectly treats the content as plain text and skips the escape step. Any data that is substituted into the script block is therefore inserted verbatim, allowing an attacker who can supply a susceptible template to inject arbitrary JavaScript and execute it in the visitor’s browser.

Affected Systems

This vulnerability affects the Go programming language’s core library component html/template. No specific version numbers are supplied, so all releases prior to the release that contains the rectification are potentially vulnerable. The issue is only exploitable when the attacker has the ability to provide or modify trusted template files that include the problematic <script> tags.

Risk and Exploitability

Exploitation requires the attacker to supply a template that contains the vulnerable <script> tag; it is not triggered solely by untrusted user input. If such a template is rendered, cross‑site scripting can be achieved, potentially enabling session hijacking, phishing, or data theft. The EPSS score is less than 1%, and the vulnerability is not listed in CISA KEV. The CVSS score of 6.1 indicates a moderate severity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Go standard library

html/template

unaffected

Version	Status	Constraints
`0`	affected	< 1.25.10
`1.26.0-0`	affected	< 1.26.3

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

No data.

Vendor Product Confidence Versions

Go Standard Library

Html/template

100%

Version	Status	Scheme	Platform
`[0,1.25.10)`	affected	semver	—
`[1.26.0-0,1.26.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the most recent Go release that incorporates the fix for this rendering bug.
Verify that all <script> tags in trusted templates include a non‑empty, non‑whitespace "type" attribute or eliminate <script> tags that embed user‑supplied data.
If a patch cannot be applied immediately, sanitize any content injected into <script> blocks with a trusted JavaScript sanitizer, or redesign templates so that untrusted data never appears within a script context.

Generated by OpenCVE AI on May 13, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://go.dev/cl/771180
https://go.dev/issue/78981
https://groups.google.com/g/golang-announce/c/qcCIEXso47M
https://pkg.go.dev/vuln/GO-2026-4980

History

Wed, 13 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-79

Wed, 13 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Golang Golang go
Weaknesses		CWE-116
CPEs		cpe:2.3:a:golang:go::::::::
Vendors & Products		Golang Golang go

Fri, 08 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 07 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79

Thu, 07 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Go Standard Library Go Standard Library html/template
Vendors & Products		Go Standard Library Go Standard Library html/template

Thu, 07 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.
Title		Escaper bypass leads to XSS in html/template
References		https://go.dev/cl/771180 https://go.dev/issue/78981 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4980

Subscriptions

Go Standard Library Html/template

Golang Go

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2026-05-07T19:41:19.138Z

Updated: 2026-05-08T14:05:05.849Z

Reserved: 2026-04-07T18:13:03.528Z

Link: CVE-2026-39826

Vulnrichment

Updated: 2026-05-08T14:05:00.652Z

NVD

Status : Analyzed

Published: 2026-05-07T20:16:43.490

Modified: 2026-05-13T16:59:07.480

Link: CVE-2026-39826

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-13T20:45:04Z

Weaknesses

CWE-116
Improper Encoding or Escaping of Output

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object