CVE-2025-23026

Name of the Vulnerable Software and Affected Versions jte (Java Template Engine) versions 3.1.15 and earlier

Description The issue affects Jte HTML templates with script tags or script attributes that include a Javascript template string (backticks), making them subject to XSS. The javaScriptBlock and javaScriptAttribute methods in the Escape class do not escape backticks, which are used for Javascript template strings. Dollar signs in template strings should also be escaped to prevent undesired interpolation. HTML templates rendered by Jte's OwaspHtmlTemplateOutput in versions less than or equal to 3.1.15 with script tags or script attributes that contain Javascript template strings (backticks) are vulnerable.

Recommendations To resolve this issue, users are advised to upgrade to version 3.1.16 or later. As a temporary workaround, consider disabling the javaScriptBlock and javaScriptAttribute methods in the Escape class until a patch is available. Restrict access to the OwaspHtmlTemplateOutput module to minimize the risk of exploitation. Avoid using the script tags or script attributes that contain Javascript template strings (backticks) in the affected API endpoint until the issue is resolved.