← volver
CVE-2026-32289

JsBraceDepth Context Tracking Bugs (XSS) in html/template

CVSS 6.1 MEDIUMEPSS 0.3%
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.1EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
08 abr 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Productos afectados
Go standard library · html/template

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://go.dev/cl/763762https://go.dev/issue/78331https://groups.google.com/g/golang-announce/c/0uYbvbPZRWUhttps://pkg.go.dev/vuln/GO-2026-4865