CVE-2026-5090
Description
Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected.
The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in
would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example,
var = " ' onclick='while (true) { alert(1) }'"
Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Template::Plugin::HTML up to 3.102 for Perl fails to escape single quotes, allowing HTML/JS injection in single-quoted attributes.
Vulnerability
Template::Plugin::HTML versions through 3.102 for Perl contained a cross-site scripting (XSS) vulnerability in the html_filter function [1][2][3]. The filter escaped <, >, &, and double-quote (") characters but neglected to escape single quotes ('). This allowed injection of HTML attributes and JavaScript when user-controlled variables were placed inside single-quoted attribute contexts, such as `` [1]. The issue affects all Template-Toolkit distributions up to and including version 3.102 [1].
Exploitation
An attacker who can control the value of a variable passed through the html filter can craft a payload that introduces an arbitrary HTML attribute, such as an onclick event handler [1]. For example, the value ' onclick='while (true) { alert(1) }' would break out of the single-quoted attribute and inject a new attribute with JavaScript code [1]. The attacker does not require any special network position beyond the ability to submit such content, and the victim only needs to view the rendered page. Angle brackets, ampersands, and double quotes are still properly escaped, which limits injection of arbitrary HTML structures but does not prevent attribute-based injection [1][3].
Impact
Successful exploitation allows an attacker to inject JavaScript code into the generated HTML page, leading to cross-site scripting (XSS). The attacker can execute arbitrary scripts in the context of the victim's browser, potentially stealing cookies, session tokens, or performing actions on behalf of the user [1]. The compromise scope is limited to client-side execution; no server-side code execution is achieved.
Mitigation
The issue was resolved in a pull request on GitHub, which added single-quote escaping (') to the html_filter function [2]. As of the publication date (2026-05-19), a fixed version has not yet been released as a CPAN update [1]. Users are advised to apply the patch manually from the referenced pull request [2] or avoid using the html filter with single-quoted attributes until an official patched release (e.g., 3.103 or later) becomes available. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 3.102
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.