CVE-2026-5090
CWE-79Published: May 19, 2026· Updated: May 20, 2026
Official Description
Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected.
The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in
<a id='ref' title='[% var | html %]'>
would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example,
var = " ' onclick='while (true) { alert(1) }'"
Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped.
Technical Analysis
CVE-2026-5090 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.
The vulnerability has a "Changed" scope, meaning successful exploitation can impact components beyond the vulnerable component itself — such as the host operating system or adjacent services.
From a weakness classification perspective (CWE-79): Cross-site scripting (XSS) vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (3)
Quick Facts
Related CVEs (CWE-79)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-5090 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts