CVE-2026-5090

Name of the Vulnerable Software and Affected Versions Template::Plugin::HTML versions prior to 3.103

Description Template::Plugin::HTML for Perl allows the injection of HTML and JavaScript. The html filter() function fails to escape single quotes, which enables code injection within HTML attributes enclosed in single quotes. For instance, a variable like var used in <a id='ref' title='[% var | html %]'> is not properly escaped. An attacker could provide a value such as ' onclick='while (true) { alert(1) }' to execute scripts. The ability to inject arbitrary HTML and JavaScript is limited because angle brackets, ampersands, and double quotes remain escaped.

Recommendations Update to a version later than 3.102. As a temporary workaround, avoid using single quotes for HTML attributes when utilizing the html filter() function.