JavaScript Template Literal Vulnerability in Go Language Implementation
CVE-2026-32289

Currently unrated

Key Information:

Vendor: Go Standard Library
Status: Html/template
Vendor: CVE Published:; 8 April 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-32289?

A vulnerability exists in the Go programming language due to improper tracking of context across template branches for JavaScript template literals. This flaw primarily affects how content is escaped during rendering. When branches within these templates are utilized, there can be incorrect escaping, which may inadvertently lead to Cross-Site Scripting (XSS) vulnerabilities. Additionally, failures in tracking brace depth within template actions further exacerbate the issue, posing significant risks in scenarios where user input is involved. Developers utilizing these versions of Go must review their code to ensure proper management of template literals to mitigate potential security risks.

Affected Version(s)

html/template 0 < 1.25.9

html/template 1.26.0-0 < 1.26.2

References

https://go.dev/cl/763762

https://go.dev/issue/78331

https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32289 Data

JSON