CVE-2026-32289
Improper Escaping in Go JS Template Literals Causes XSS
Publication date: 2026-04-08
Last updated on: 2026-04-16
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 1.25.9 (exc) |
| golang | go | From 1.26.0 (inc) to 1.26.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-32289 vulnerability affects the Go programming language's html/template package, specifically its handling of JavaScript (JS) template literals.
The issue arises because the template engine does not properly track context across template branches within JS template literals, leading to incorrect escaping of content when conditional branches are used.
Additionally, template actions inside JS template literals fail to correctly track the depth of braces, which causes improper escaping.
These flaws can cause actions within JS template literals to be escaped incorrectly or insufficiently, resulting in potential cross-site scripting (XSS) vulnerabilities.
How can this vulnerability impact me? :
This vulnerability can lead to cross-site scripting (XSS) attacks because the improper escaping of content inside JavaScript template literals allows malicious scripts to be injected and executed.
If you use the Go html/template package to generate web content that includes JavaScript template literals with conditional branches or template actions, your application could be vulnerable to XSS.
Such XSS vulnerabilities can compromise the security of your web application by allowing attackers to execute arbitrary scripts in users' browsers, potentially stealing sensitive information or performing unauthorized actions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the Go html/template package when using template actions inside JavaScript template literals, causing improper escaping and potential XSS issues.
Detection involves reviewing your Go codebase for usage of the html/template package, specifically looking for templates that include JavaScript template literals with conditional branches or embedded template actions.
There are no specific network or system commands provided to detect this vulnerability automatically.
A practical approach is to audit your Go templates for unsafe escaping patterns or to test your web application for XSS vulnerabilities originating from template-rendered JavaScript.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade your Go environment to a fixed version where this vulnerability is resolved.
- Upgrade to Go version 1.25.9 or later, or 1.26.2 or later, where the issue has been fixed.
- Review and audit your templates that use JavaScript template literals with conditional branches or embedded actions to ensure proper escaping.
- Avoid using template actions inside JS template literals until you have applied the fix.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-32289 causes improper escaping in JavaScript template literals within the Go html/template package, leading to potential cross-site scripting (XSS) vulnerabilities.
XSS vulnerabilities can lead to unauthorized access or exposure of sensitive data, which may impact compliance with data protection regulations such as GDPR and HIPAA that require protection against data breaches and unauthorized data access.
Therefore, if applications using the affected Go versions and html/template package are exploited via this vulnerability, they could face compliance risks related to these standards due to potential data leakage or compromise.