CVE-2026-5090 Overview
CVE-2026-5090 is a cross-site scripting (XSS) vulnerability in the Perl module Template::Plugin::HTML versions through 3.102. The html_filter function fails to escape single quote characters when encoding output. Applications using the html filter to sanitize variables placed inside single-quoted HTML attributes remain vulnerable to attribute-context injection. An attacker who controls a filtered value can break out of the attribute and inject event handlers such as onclick, leading to arbitrary JavaScript execution in the victim's browser. The flaw is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation.
Critical Impact
Attackers can inject limited HTML and JavaScript through single-quoted attribute contexts, enabling session hijacking, credential theft, or arbitrary actions performed as the targeted user.
Affected Products
- Template::Plugin::HTML for Perl, versions through 3.102
- Perl applications using the Template Toolkit html filter to sanitize values placed inside single-quoted HTML attributes
- Downstream Perl web applications and frameworks that depend on Template Toolkit for output encoding
Discovery Timeline
- 2026-05-19 - CVE-2026-5090 published to the National Vulnerability Database
- 2026-05-19 - Public disclosure on the Openwall oss-security mailing list
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-5090
Vulnerability Analysis
The vulnerability stems from incomplete output encoding in the html_filter function shipped with Template::Plugin::HTML. The filter escapes <, >, &, and double quotes, but does not escape single quotes. Developers commonly rely on the | html filter as a general-purpose XSS defense across template contexts. When a filtered value is rendered inside a single-quoted attribute, an attacker-controlled string containing a single quote can terminate the attribute and append new attributes such as event handlers.
The disclosure provides a representative template fragment: <a id='ref' title='[% var | html %]'>. Supplying var = " ' onclick='while (true) { alert(1) }'" closes the title attribute and injects an onclick handler. Arbitrary HTML injection is constrained because <, >, and & remain encoded, but JavaScript execution through inline event handlers is achievable.
Root Cause
The root cause is an incomplete character escape list in html_filter. HTML attribute values delimited by single quotes require the apostrophe (' or its numeric reference ') to be encoded. Because the function omits this character, the encoded output remains unsafe in single-quoted attribute contexts, violating the contract developers expect from a generic HTML escaper.
Attack Vector
Exploitation requires an attacker to influence a value that is rendered inside a single-quoted HTML attribute through the html filter, and to convince a victim to load the resulting page. The injection payload terminates the attribute with ', appends an event handler such as onclick or onmouseover, and executes JavaScript when the victim interacts with the element. Because the scope changes from the template engine to the user's browser, the issue carries a scope-changed impact in the CVSS vector.
See the GitHub issue discussion and the upstream pull request for the exact code paths and proposed fix.
Detection Methods for CVE-2026-5090
Indicators of Compromise
- Web server access logs containing URL-encoded single quotes (%27) followed by onclick, onerror, onmouseover, or other event handler names in request parameters
- Rendered HTML responses where user-supplied data inside single-quoted attributes contains unescaped ' characters
- Browser-side errors or unexpected JavaScript executions originating from template-rendered attributes such as title, alt, or data-*
Detection Strategies
- Audit Perl codebases for installed versions of Template::Plugin::HTML at or below 3.102 using cpan -D Template::Plugin::HTML or dependency manifests
- Grep templates for single-quoted attribute patterns combined with the html filter, for example ='[% ... | html %]', and flag them for review
- Add automated XSS payload tests injecting ' onclick='alert(1) into form fields and URL parameters in staging environments
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting endpoints to capture violations from injected inline event handlers
- Forward web application firewall (WAF) and reverse proxy logs to a centralized analytics platform and alert on suspicious attribute-breakout patterns
- Monitor CPAN module update channels and the Openwall oss-security archive for patched releases and related advisories
How to Mitigate CVE-2026-5090
Immediate Actions Required
- Upgrade Template::Plugin::HTML to a release later than 3.102 once available from CPAN, or apply the upstream patch referenced in the Template2 pull request
- Convert single-quoted attributes in templates to double-quoted attributes, which the existing filter encodes correctly
- Deploy a Content Security Policy that blocks inline event handlers and inline scripts to limit exploitation impact
Patch Information
The upstream Template Toolkit maintainers tracked the fix in GitHub issue #327 and merged the change through pull request #337. The fix adds the single-quote character to the escape list inside html_filter. Verify that the deployed version of Template::Plugin::HTML includes the updated escape table before redeploying affected applications.
Workarounds
- Replace | html with a stricter filter such as | uri or a custom encoder that emits ' for single quotes when rendering inside single-quoted attributes
- Refactor templates so untrusted values appear only inside double-quoted attributes or inside text nodes
- Reject or strip single-quote characters from input fields that flow into attribute contexts, where business logic permits
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
