Skip to main content

Go html/template EUVDEUVD-2026-28426

| CVE-2026-39826 MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2026-05-07 Go GHSA-3v2c-x6q9-f697
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 08, 2026 - 15:23 vuln.today
CVSS changed
May 08, 2026 - 15:22 NVD
6.1 (MEDIUM)
Patch available
May 07, 2026 - 21:02 EUVD
CVE Published
May 07, 2026 - 19:41 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 19:41 nvd
MEDIUM 6.1

DescriptionCVE.org

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

AnalysisAI

Go's html/template library incorrectly escapes data passed into <script> tags when the tag contains an empty or whitespace-only 'type' attribute, allowing a trusted template author to inadvertently expose sensitive information to client-side scripts. Affects html/template versions prior to 1.26.3 and 1.25.10. CVSS 6.1 with user interaction required; EPSS 0.01% indicates minimal real-world exploitation likelihood despite moderate base score.

Technical ContextAI

The Go html/template package provides contextual HTML escaping to prevent injection vulnerabilities. The vulnerability resides in the template parser's handling of script tag type attributes: when the 'type' attribute is empty or contains only ASCII whitespace characters (space, tab, newline, carriage return, form feed), the parser fails to recognize this as a script context and applies incorrect escaping rules. This allows data interpolation within the script block to bypass the intended HTML entity encoding that would normally occur. The root cause appears to be improper validation of the 'type' attribute value during template compilation, affecting the context-sensitive escaping logic. CPE cpe:2.3:a:go_standard_library:html/template:*:*:*:*:*:*:*:* identifies the Go standard library's html/template as the affected component.

RemediationAI

Vendor-released patch: upgrade to html/template 1.26.3 or later for Go 1.26.x users, or html/template 1.25.10 or later for Go 1.25.x users. These versions correct the type attribute validation logic to properly recognize empty and whitespace-only type attributes as non-script contexts, applying appropriate escaping. Coordinate upgrade timing with Go release channels; patch details and release notes available at https://go.dev/cl/771180 and https://pkg.go.dev/vuln/GO-2026-4980. For applications unable to upgrade immediately, audit existing templates for <script> tags with empty or whitespace-only type attributes and replace them with properly-formed type attributes (e.g., type='text/javascript' or remove the attribute entirely if not required). Implement template code review processes to catch this pattern during development.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

EUVD-2026-28426 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy