CVE-2026-39826
Undergoing Analysis Undergoing Analysis - In Progress
Stored XSS in Go Template Engine

Publication date: 2026-05-07

Last updated on: 2026-05-08

Assigner: Go Project

Description
If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-39826
EUVD
EUVD-2026-28426
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang html_template From 1.26.0 (inc) to 1.26.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability occurs when a trusted template author uses a <script> tag with an empty 'type' attribute or a 'type' attribute containing ASCII whitespace in Go's html/template package.

To detect this vulnerability, you should audit your Go html/template source code for any <script> tags where the 'type' attribute is either empty or contains only whitespace.

A simple command to find such occurrences in your codebase could be:

  • grep -rP '<script[^>]*type=["\'\s]*["\'\s]*>' ./

This command searches recursively for <script> tags with empty or whitespace-only 'type' attributes.

Additionally, review usage of Template.Execute and Template.ExecuteTemplate functions in affected versions (before go1.25.10 and from go1.26.0-0 before go1.26.3) as these are the vulnerable functions.

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid using <script> tags with empty or whitespace-only 'type' attributes in your Go html/template templates.
  • Review and sanitize all template code to ensure that <script> tags have valid 'type' attributes or omit the 'type' attribute if not needed.
  • Upgrade your Go environment to a fixed version once the patch is released, as the vulnerability is known and a fix is planned.
  • In the meantime, audit and restrict template authorship to trusted individuals to minimize risk.
Executive Summary

CVE-2026-39826 is a vulnerability in Go's html/template package that allows a Cross-Site Scripting (XSS) attack due to improper escaping of data inside <script> tags.

The issue arises when a trusted template author writes a <script> tag with an empty 'type' attribute (type="") or a 'type' attribute containing ASCII whitespace. Under these conditions, the template engine incorrectly escapes any data passed into the <script> block, which can enable malicious script execution.

Impact Analysis

This vulnerability can lead to Cross-Site Scripting (XSS) attacks, where an attacker can inject and execute malicious scripts in the context of a trusted web application.

If exploited, it can compromise the security of users by stealing sensitive information, hijacking user sessions, or performing unauthorized actions on behalf of the user.

The vulnerability affects applications using the Go html/template package versions before go1.25.10 and from go1.26.0-0 before go1.26.3, specifically when using Template.Execute or Template.ExecuteTemplate functions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39826. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart