Go Standard Library Html Template vulnerabilities

CVE-2026-32289 [MEDIUM] CVE-2026-32289: Context was not properly tracked across template branches for JS template literals, leading to possi Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template liter

CVE-2026-27142 [MEDIUM] CVE-2026-27142: Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can all Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by settin

CVE-2024-24785 [MEDIUM] CVE-2024-24785: If errors returned from MarshalJSON methods contain user controlled data, they may be used to break If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

CVE-2023-39318 [MEDIUM] CWE-79 CVE-2023-39318: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" co The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.

CVE-2023-39319 [MEDIUM] CWE-79 CVE-2023-39319: The html/template package does not apply the proper rules for handling occurrences of "<script", "<! The html/template package does not apply the proper rules for handling occurrences of " contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

CVE-2023-24540 [CRITICAL] CWE-77 CVE-2023-24540: Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

CVE-2023-24539 [HIGH] CWE-74 CVE-2023-24539: Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templat Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.

CVE-2023-29400 [HIGH] CWE-74 CVE-2023-29400: Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty inp Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

CVE-2023-24538 [CRITICAL] Backticks not treated as string delimiters in html/template Backticks not treated as string delimiters in html/template Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript