CVE-2026-32289 — Cross-site Scripting in Standard Library Html Template
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 97.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 8
Description
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages1 packages
🔴Vulnerability Details
4GHSA▶
GHSA-7mr4-xjxg-34g6: Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches we↗2026-04-08
OSV▶
CVE-2026-32289: Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches we↗2026-04-08
📋Vendor Advisories
2🕵️Threat Intelligence
1💬Community
2Bugzilla▶
CVE-2026-32289 golang: html/template: Cross-Site Scripting (XSS) via improper context and brace depth tracking in JS template literals [fedora-all]↗2026-04-08
Bugzilla▶
CVE-2026-32289 html/template: golang: html/template: Cross-Site Scripting (XSS) via improper context and brace depth tracking in JS template literals↗2026-04-08