CVE-2026-5090
XSS in Template::Plugin::HTML Perl Module
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| template | plugin | to 3.102 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Template::Plugin::HTML versions through 3.102 for Perl, where the html_filter function does not properly escape single quotes. This allows an attacker to inject limited HTML and JavaScript code inside HTML attributes that use single quotes.
For example, if a variable is used inside a single-quoted HTML attribute, such as <a id='ref' title='[% var | html %]'>, an attacker can craft the variable to include malicious code like ' onclick='while (true) { alert(1) }', which would execute JavaScript when the element is interacted with.
However, the injection is limited because angle brackets, ampersands, and double-quotes are still escaped, making arbitrary HTML and JavaScript injection difficult.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to inject limited HTML and JavaScript code into web pages generated by the affected Template::Plugin::HTML versions. This could lead to cross-site scripting (XSS) attacks, where malicious scripts run in the context of a user's browser.
Such attacks could be used to perform actions like displaying unwanted alerts, stealing session information, or manipulating the user interface, potentially compromising user security and trust.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-5090 allows limited HTML and JavaScript injection due to improper escaping of single quotes in HTML attributes. This type of vulnerability can lead to cross-site scripting (XSS) attacks, which may result in unauthorized access to sensitive data or user sessions.
Such security risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure. If exploited, this vulnerability could potentially lead to data breaches or compromise of user information, thereby violating these regulations.
However, the vulnerability limits injection scope by escaping angle brackets, ampersands, and double quotes, which somewhat reduces the risk but does not eliminate it.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper escaping of single quotes in the html_filter function of Template::Plugin::HTML versions through 3.102 for Perl, which allows limited HTML and JavaScript injection in attributes enclosed in single quotes.
To detect this vulnerability on your system, you can check the version of Template::Plugin::HTML installed and review templates for usage of single-quoted HTML attributes that include unescaped variables.
There are no specific commands provided in the resources to detect exploitation attempts or presence of the vulnerability on the network or system.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating Template::Plugin::HTML to a version later than 3.102 where the vulnerability is fixed.
As a workaround, use double quotes for HTML attribute values in templates containing escaped HTML instead of single quotes to avoid injection via unescaped single quotes.
Ensure that the html_filter function and the HTML plugin's escape method properly escape single quotes using the numeric HTML entity ' instead of relying on '.