Medium severity6.1NVD Advisory· Published May 19, 2026· Updated May 20, 2026
CVE-2026-5090
CVE-2026-5090
Description
Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected.
The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in
would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example,
var = " ' onclick='while (true) { alert(1) }'"
Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <= 3.102
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.