CVE-2026-5090

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'...

medium 6.1 CVSS 3.1

Published: May 19, 2026

Modified: May 20, 2026

Description

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected.

The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in

would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example,

var = " ' onclick='while (true) { alert(1) }'"

Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

References

https://github.com/abw/Template2/issues/327
https://github.com/abw/Template2/pull/337/changes/11c78a7a771d4af505efeb754a0b8775689c2eae
http://www.openwall.com/lists/oss-security/2026/05/19/40

Version	3.1
Score	6.1 / 10
Severity	medium