CVE-2026-5090

MEDIUM

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected

Title source: cna

Description

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

References (3)

Core 3

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/19/40

Issue Tracking issue-tracking

https://github.com/abw/Template2/issues/327

Patch patch

https://github.com/abw/Template2/pull/337/changes/11c78a7a771d4af505efeb754a0b8775689c2eae

Scores

CVSS v3 6.1

EPSS 0.0028

EPSS Percentile 19.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

TODDR/Template::Plugin::HTML < 3.102

Published May 19, 2026

Tracked Since May 19, 2026