CVE-2026-5090

NameCVE-2026-5090
DescriptionTemplate::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libtemplate-perl (PTS)bookworm, bullseye, trixie2.27-1vulnerable
forky, sid3.102-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libtemplate-perlsource(unstable)(unfixed)

Notes

https://lists.security.metacpan.org/cve-announce/msg/40218729/
https://github.com/abw/Template2/issues/327
https://github.com/cpan-authors/Template2/pull/337
Fixed by: https://github.com/cpan-authors/Template2/commit/11c78a7a771d4af505efeb754a0b8775689c2eae
Search for package or bug name: Reporting problems