JsBraceDepth Context Tracking Bugs (XSS) in html/template

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected Products

Vendor	Product	Versions
go standard library	html/template	0, 1.26.0-0, 1.25.8, 1.26.1

References

Related News (2 articles)

Tier C

oss-security1d ago

Go 1.26.2 and Go 1.25.9 are released with 10 security fixes

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-32289 | html-template up to 1.25.8/1.26.1 on Go cross site scripting

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.25.91.26.2

CWECWE-79

PublishedApr 8, 2026

Last enriched2d agov2

Community Vote

0 upvotes

Version History

Last enriched 2d ago

v2Tier C2d ago

Updated affected versions to include 1.25.8 and 1.26.1, changed severity to HIGH, and noted that there is no available exploit.

affectedVersionsseverityactivelyExploitedcweIdstags

via VulDB

v12d ago

Initial creation

JsBraceDepth Context Tracking Bugs (XSS) in html/template

Description

Affected Products

References

Related News (2 articles)

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History