CPANSA-Template-Toolkit-2026-5090: Template-Toolkit vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2026-05-19T00:00:00 | Engine | CSAF Perl Toolkit 0.26 |
| Current release date | 2026-05-19T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 6.1 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.
Vulnerabilities
CVE-2026-5090
Vulnerability DescriptionTemplate::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected.
The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in
would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example,
var = " ' onclick='while (true) { alert(1) }'"
Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.
| Weakness | CWE-79 : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Template-Toolkit less than 3.103 |
|
Fixed
- Template-Toolkit greater than or equal 3.103
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Template-Toolkit-2026-5090 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2026/cpansa-template-toolkit-2026-5090.json - https://github.com/abw/Template2/issues/327 external
https://github.com/abw/Template2/issues/327 - https://github.com/abw/Template2/pull/337/changes/11c78a7a771d4af505efeb754a0b8775689c2eae external
https://github.com/abw/Template2/pull/337/changes/11c78a7a771d4af505efeb754a0b8775689c2eae - http://www.openwall.com/lists/oss-security/2026/05/19/40 external
http://www.openwall.com/lists/oss-security/2026/05/19/40 - CVE-2026-5090 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2026-5090
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Tue May 19 00:00:00 2026 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/