CVE-2026-5090

Summary

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected.

The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in

<a id='ref' title='[% var | html %]'>

would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example,

var = " ' onclick='while (true) { alert(1) }'"

Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

Affected Software

VendorProductVersion RangeStatus
TODDRTemplate::Plugin::HTML0 <= 3.102affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation

Workarounds

Attribute values in templates that contain escaped HTML should use double quotes instead of single quotes.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References