Description
If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.
Published: 2026-05-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Go standard library html/template package is intended to escape data injected into templates so that HTML, CSS, and JavaScript contexts remain safe. When a trusted template author writes a <script> tag with an empty or whitespace‑only "type" attribute, the rendering logic incorrectly treats the content as plain text and skips the escape step. Any data that is substituted into the script block is therefore inserted verbatim, allowing an attacker who can supply a susceptible template to inject arbitrary JavaScript and execute it in the visitor’s browser.

Affected Systems

This vulnerability affects the Go programming language’s core library component html/template. No specific version numbers are supplied, so all releases prior to the release that contains the rectification are potentially vulnerable. The issue is only exploitable when the attacker has the ability to provide or modify trusted template files that include the problematic <script> tags.

Risk and Exploitability

Exploitation requires the attacker to supply a template that contains the vulnerable <script> tag; it is not triggered solely by untrusted user input. If such a template is rendered, cross‑site scripting can be achieved, potentially enabling session hijacking, phishing, or data theft. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The absence of a CVSS score suggests a high‑to‑critical severity based on the ability to run arbitrary code in clients’ browsers.

Generated by OpenCVE AI on May 7, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the most recent Go release that incorporates the fix for this rendering bug.
  • Verify that all <script> tags in trusted templates include a non‑empty, non‑whitespace "type" attribute or eliminate <script> tags that embed user‑supplied data.
  • If a patch cannot be applied immediately, sanitize any content injected into <script> blocks with a trusted JavaScript sanitizer, or redesign templates so that untrusted data never appears within a script context.

Generated by OpenCVE AI on May 7, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library html/template
Vendors & Products Go Standard Library
Go Standard Library html/template

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.
Title Escaper bypass leads to XSS in html/template
References

Subscriptions

Go Standard Library Html/template
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-07T19:41:19.138Z

Reserved: 2026-04-07T18:13:03.528Z

Link: CVE-2026-39826

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T20:16:43.490

Modified: 2026-05-07T20:38:04.860

Link: CVE-2026-39826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:30:36Z

Weaknesses