CVE-2026-32289
Last modified
CVE-2026-32289 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. EPSS estimates a 0.29% chance of exploitation in the next 30 days.
Description
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.25.9 |
| Golang | Go | >= 1.26.0, < 1.26.2 |
References
- https://go.dev/issue/78331Issue Tracking
- https://groups.google.com/g/golang-announce/c/0uYbvbPZRWUMailing List, Release Notes
- https://pkg.go.dev/vuln/GO-2026-4865Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-32289?
How severe is CVE-2026-32289?
How do I fix CVE-2026-32289?
Are you affected by CVE-2026-32289?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST