CVE-2026-39826
published 2026-05-07CVE-2026-39826: If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.37%
29.0th percentile
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
Affected
100 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | 3scale-rhel7-operator | — | — |
| 3scale-amp2 | 3scale-rhel9-operator | — | — |
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform-26 | receptor-rhel9 | — | — |
| build-of-trustee | trustee-rhel9-operator | — | — |
| buildah_project | buildah | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| compliance | openshift-compliance-operator-bundle | — | — |
| compliance | openshift-selinuxd-rhel8 | — | — |
| confidential-compute-attestation-tech-preview | trustee-rhel9-operator | — | — |
| confidential-containers | trustee | — | — |
| container-native-virtualization | kubevirt-apiserver-proxy-rhel9 | — | — |
| container-native-virtualization | virt-api-rhel9 | — | — |
| container-tools_rhel8 | buildah | — | — |
| container-tools_rhel8 | conmon | — | — |
| container-tools_rhel8 | containernetworking-plugins | — | — |
| container-tools_rhel8 | podman | — | — |
| container-tools_rhel8 | skopeo | — | — |
| container-tools_rhel8 | toolbox | — | — |
| cryostat | cryostat-storage-rhel9 | — | — |
| custom-metrics-autoscaler | custom-metrics-autoscaler-rhel9 | — | — |
| devspaces | udi-rhel9 | — | — |
| devworkspace | devworkspace-rhel9-operator | — | — |
| dvo | deployment-validation-rhel8-operator | — | — |
| etcd | etcd | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3v2c-x6q9-f697: If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of
ghsa_unreviewed·2026-05-07
CVE-2026-39826 [MEDIUM] GHSA-3v2c-x6q9-f697: If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
VulDB
html-template up to 1.25.9/1.26.2 on Go Type escape output (EUVD-2026-28426)
vuldb·2026-05-07
CVE-2026-39826 [CRITICAL] html-template up to 1.25.9/1.26.2 on Go Type escape output (EUVD-2026-28426)
A vulnerability was found in html-template up to 1.25.9/1.26.2 on Go and classified as critical. This affects an unknown part. Such manipulation of the argument Type leads to escaping of output.
This vulnerability is documented as CVE-2026-39826. The attack can be executed remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
Red Hat
html/template: golang: html/template: Cross-site scripting due to incorrect script tag escaping
vendor_redhat·2026-05-07·CVSS 6.1
CVE-2026-39826 [MEDIUM] CWE-1289 html/template: golang: html/template: Cross-site scripting due to incorrect script tag escaping
html/template: golang: html/template: Cross-site scripting due to incorrect script tag escaping
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
A flaw was found in html/template. A trusted template author could craft a script tag with an empty or whitespace-only 'type' attribute. This vulnerability causes the template engine to incorrectly escape data passed into the script block, potentially leading to cross-site scripting (XSS). An attacker could leverage this to execute arbitrary client-side scripts in a user's browser.
Mitigation: Mitigation for this issue is either not available or the currently available option
No detection rules found.
No public exploits indexed.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-39826 html/template: golang: html/template: Cross-site scripting due to incorrect script tag escaping
bugzilla·2026-05-07·CVSS 6.1
CVE-2026-39826 [MEDIUM] CVE-2026-39826 html/template: golang: html/template: Cross-site scripting due to incorrect script tag escaping
CVE-2026-39826 html/template: golang: html/template: Cross-site scripting due to incorrect script tag escaping
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:22120 https://access.redhat.com/errata/RHSA-2026:22120
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:22121 https://access.redhat.com/errata/RHSA-2026:22121
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2026:22112 https://access.redhat.co
2026-05-07
Published