Skip to main content

Red Hat EUVDEUVD-2026-20018

| CVE-2026-32289 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Go
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 15, 2026 - 12:24 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
6.1 (MEDIUM)
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 01:45 euvd
EUVD-2026-20018
CVE Published
Apr 08, 2026 - 01:06 nvd
N/A

DescriptionCVE.org

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

AnalysisAI

Cross-site scripting (XSS) vulnerability in Go's html/template package allows incorrect escaping of template actions within JavaScript template literals, enabling attackers to inject malicious scripts when template branches and brace-depth tracking are mishandled. Affects html/template versions prior to 1.26.2 and 1.25.9. The vulnerability requires user interaction (UI:R) and is not actively exploited based on available intelligence, though the low EPSS score (0.01%) indicates minimal real-world exploitation likelihood despite the network-accessible attack vector.

Technical ContextAI

Go's html/template package provides automatic context-aware HTML escaping for template variables. The vulnerability stems from two distinct flaws in how the template parser handles JavaScript (JS) template literals (backtick-delimited strings in JavaScript that support embedded expressions via ${...} syntax). First, context state is not properly maintained when template execution branches (if/else, range, etc.) occur within JS template literals, causing the escaper to apply incorrect HTML or JavaScript escaping rules. Second, the template action parser fails to correctly track nested brace depth within JS template literals, leading to improper demarcation of template action boundaries and subsequent incorrect escaping. JS template literals are a modern JavaScript feature that creates a complex escaping challenge because content inside ${...} expressions requires JavaScript context awareness, yet the surrounding literal requires different escaping rules. The CWE classification is not provided, but this aligns with improper input neutralization patterns common to XSS vulnerabilities.

RemediationAI

Upgrade Go's html/template package to version 1.26.2 or later (for 1.26.x branch) or to version 1.25.9 or later (for 1.25.x and earlier branches). For users on Go distributions, this requires upgrading the Go runtime version that bundles the patched standard library. Vendor advisory details and commit information are available at https://go.dev/cl/763762 and https://pkg.go.dev/vuln/GO-2026-4865. No workarounds are documented; patching is the primary remediation. Developers should review any templates using JavaScript template literals with branching logic to ensure they are updated once the Go runtime is patched.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

EUVD-2026-20018 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy