{"id":"GO-2026-4980","summary":"Escaper bypass leads to XSS in html/template","details":"If a trusted template author were to write a \u003cscript\u003e tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the \u003cscript\u003e block.","aliases":["BIT-golang-2026-39826","CVE-2026-39826"],"modified":"2026-05-11T08:11:24.291670396Z","published":"2026-05-07T19:21:40Z","related":["CGA-4mcr-6mw7-3w72"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4980"},"references":[{"type":"REPORT","url":"https://go.dev/issue/78981"},{"type":"FIX","url":"https://go.dev/cl/771180"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/qcCIEXso47M"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.25.10"},{"introduced":"1.26.0-0"},{"fixed":"1.26.3"}]}],"ecosystem_specific":{"imports":[{"symbols":["Template.Execute","Template.ExecuteTemplate","isJSType"],"path":"html/template"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4980.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mundur (https://github.com/M0nd0R)"}]}