VYPR
Medium severity6.1NVD Advisory· Published May 19, 2026· Updated May 20, 2026

CVE-2026-5090

CVE-2026-5090

Description

Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected.

The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in

would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example,

var = " ' onclick='while (true) { alert(1) }'"

Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.