Zero Day MonitorZDM

← Back to list

—

CVE-2026-32289EXPLOITEDPATCHED

go standard library · html/template

JsBraceDepth Context Tracking Bugs (XSS) in html/template

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected Products

Vendor	Product	Versions
go standard library	html/template	0, 1.26.0-0, 1.25.8, 1.26.1

References

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-32289 | html-template up to 1.25.8/1.26.1 on Go cross site scripting

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.25.91.26.2

CWECWE-79

PublishedApr 8, 2026

Last enriched4h agov2

Tags

XSS

Trending Score46

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-33810EXP

Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509

HIGHCVE-2026-32288EXP

Unbounded allocation for old GNU sparse in archive/tar

HIGHCVE-2026-32283EXP

Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls

HIGHCVE-2026-32281EXP

Inefficient policy validation in crypto/x509

CRITICALCVE-2026-32282

TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 8, 2026

Discovered by ZDM

Apr 8, 2026

Actively Exploited

Apr 8, 2026

Patch Available

Apr 8, 2026

Updated: affectedVersions, severity, activelyExploited, cweIds, tags

Apr 8, 2026

Version History

v2

Last enriched 4h ago

v2Tier C4h ago

Updated affected versions to include 1.25.8 and 1.26.1, changed severity to HIGH, and noted that there is no available exploit.

affectedVersionsseverityactivelyExploitedcweIdstags

via VulDB

v18h ago

Initial creation