CVE-2026-5090: Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected
Robert Rothenberg 19 May 2026 21:31 UTC
========================================================================
CVE-2026-5090 CPAN Security Group
========================================================================
CVE ID: CVE-2026-5090
Distribution: Template-Toolkit
Versions: through 3.102
MetaCPAN: https://metacpan.org/dist/Template-Toolkit
VCS Repo: https://github.com/abw/Template2
Template::Plugin::HTML versions through 3.102 for Perl allows HTML and
JavaScript to be injected
Description
-----------
Template::Plugin::HTML versions through 3.102 for Perl allows HTML and
JavaScript to be injected.
The html_filter function did not escape single quotes. HTML attributes
inside of single quotes could be have code injected. For example, the
variable "var" in
<a id='ref' title='[% var | html %]'>
would not be properly escaped. An attacker could insert some limited
HTML and JavaScript, for example,
var = " ' onclick='while (true) { alert(1) }'"
Note that arbitrary HTML and JavaScript would be difficult to inject,
because angle brackets, ampersands and double-quotes would still be
escaped.
Problem types
-------------
- CWE-79 Improper Neutralization of Input During Web Page Generation
Workarounds
-----------
Attribute values in templates that contain escaped HTML should use
double quotes instead of single quotes.
References
----------
https://github.com/abw/Template2/issues/327
https://github.com/abw/Template2/pull/337/changes/11c78a7a771d4af505efeb754a0b8775689c2eae
Timeline
--------
- 2024-12-01: Issue reported in GitHub.
- 2026-02-21: Pull request submitted.
- 2026-03-22: Pull request merged.
- 2026-03-22: Issue reported to CPANSec.
- 2026-03-28: CVE assigned.
