Template::Plugin::HTML versions through 3.102 do not escape single quotes within the html_filter function. When attribute values are enclosed in single quotes, an attacker can inject limited HTML and JavaScript, such as inserting an onclick handler that repeatedly alerts a value. The injected script can execute in the context of the web page, allowing defacement or theft of user credentials, but the injection is constrained because angle brackets, ampersands and double‑quotes remain escaped. This weakness is reflected in CWE‑79, an input validation failure that enables client‑side script execution.

Any installation of Template::Plugin::HTML for Perl with a version of 3.102 or earlier. The vulnerability becomes relevant for applications that use this plugin to render user‑supplied data into web pages, including custom web frameworks or content management systems that integrate the plugin. No specific product family beyond the Perl module is listed, so any system employing the affected code is at risk.

The vulnerability can be exploited by any actor who can supply data that is passed through the html_filter into a template rendered with single‑quoted attributes. The required conditions are minimal: untrusted data reaching the template, use of single‑quoted attributes, and no additional sanitization of single quotes. Because the attack surface is the template rendering engine, an attacker with the ability to influence template input can create a cross‑site scripting flaw. The CVSS score is 6.1, the EPSS score is less than 1%, and the issue is not listed in CISA KEV, indicating limited publicly documented exploitation at this time. However, the nature of XSS makes it suitable for phishing or credential theft, so it should be considered a high risk for exposed web applications.