CVE-2026-5090
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected.
The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in
<a id='ref' title='[% var | html %]'>
would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example,
var = " ' onclick='while (true) { alert(1) }'"
Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| TODDR | Template::Plugin::HTML | 0 <= 3.102 | affected |
Weaknesses
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation
Workarounds
Attribute values in templates that contain escaped HTML should use double quotes instead of single quotes.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/abw/Template2/issues/327
- https://github.com/abw/Template2/pull/337/changes/11c78a7a771d4af505efeb754a0b8775689c2eae
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.