Template Execution Vulnerability in Go Programming Language
CVE-2026-39826

Currently unrated

Key Information:

Vendor: Go Standard Library
Status: Html/template
Vendor: CVE Published:; 7 May 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-39826?

A vulnerability exists in the Go programming language where a trusted template author can improperly utilize the tag. If the 'type' attribute is empty or contains ASCII whitespace, the template fails to correctly escape any data input into the block. This can lead to unintended script execution and potential exposure of sensitive information.

Affected Version(s)

html/template 0 < 1.25.10

html/template 1.26.0-0 < 1.26.3

References

https://go.dev/issue/78981

https://go.dev/cl/771180

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Mundur (https://github.com/M0nd0R)

CVE-2026-39826 Data

JSON