CVE-2026-32289

MEDIUM 6.1

JsBraceDepth Context Tracking Bugs (XSS) in html/template

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

1th

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Vendor	go standard library
Product	html/template
Published	Apr 8, 2026
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for go standard library html/template

Be the first to know when new medium vulnerabilities affecting go standard library html/template are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Go standard library / html/template

0 < 1.25.9 1.26.0-0 < 1.26.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

go.dev: https://go.dev/cl/763762 go.dev: https://go.dev/issue/78331 groups.google.com: https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-4865