PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-5090 TODDR CVE debrief

CVE-2026-5090 affects Template::Plugin::HTML versions through 3.102 for Perl. According to the published description, the module's html_filter function did not escape single quotes, which means data placed into HTML attributes delimited by single quotes could break out of the attribute and inject limited HTML or JavaScript. The issue is narrower than full raw HTML injection because angle brackets, ampersands, and double quotes are still escaped, but it is still sufficient for cross-site scripting in vulnerable template patterns. NVD assigns CVSS 3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and maps the weakness to CWE-79. The record was published on 2026-05-19 and later modified on 2026-05-20.

Vendor
TODDR
Product
Template::Plugin::HTML
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-20
Advisory published
2026-05-19
Advisory updated
2026-05-20

Who should care

Teams maintaining or operating Perl applications that use Template::Plugin::HTML, especially where untrusted values are rendered into single-quoted HTML attributes. Web application security owners reviewing template escaping and output encoding should also treat this as a user-interaction-driven XSS risk.

Technical summary

The flaw is in attribute-context escaping: html_filter does not escape the single quote character. In a template pattern such as a single-quoted attribute containing a filtered variable, attacker-controlled input can terminate the attribute value and inject event-handler or similar limited script-bearing markup. Because other metacharacters remain escaped, exploitation is constrained, but the condition still fits cross-site scripting. The supplied NVD metadata classifies the issue as CWE-79 with a network-reachable, user-interaction-required attack profile.

Defensive priority

Medium. The issue is remotely reachable in web applications but requires a vulnerable template pattern and user interaction, so it is not an emergency for every Perl deployment. Prioritize systems that render untrusted content into single-quoted HTML attributes with this plugin.

Recommended defensive actions

  • Inventory applications and templates that use Template::Plugin::HTML.
  • Find any single-quoted HTML attributes that render untrusted values through the html filter.
  • Review the upstream issue and pull request references for the coordinated fix and any release guidance.
  • Upgrade to a corrected release or apply the upstream patch as soon as one is available.
  • Re-test affected templates after remediation to confirm attribute-context escaping is correct.
  • Prefer context-appropriate escaping and avoid assuming a general HTML filter is safe in all attribute contexts.

Evidence notes

The source description states that Template::Plugin::HTML through 3.102 for Perl allows HTML and JavaScript injection because html_filter did not escape single quotes. The NVD metadata for the same CVE lists vulnStatus as Deferred, assigns CVSS 3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and maps the weakness to CWE-79. The supplied references point to an upstream GitHub issue, a GitHub pull request changes page, and an oss-security thread. The corpus does not provide a fixed version number.

Official resources

CVE published on 2026-05-19 and modified on 2026-05-20. NVD's linked record was also updated on 2026-05-20 and shows vulnStatus "Deferred".