#1137160 libtemplate-perl: CVE-2026-5090

Package:
src:libtemplate-perl
Source:
src:libtemplate-perl
Submitter:
Salvatore Bonaccorso
Date:
2026-05-20 15:05:01 UTC
Severity:
normal
Tags:
#1137160#5
Date:
2026-05-20 07:05:45 UTC
From:
To:
Hi,

The following vulnerability was published for libtemplate-perl.

CVE-2026-5090[0]:
| Template::Plugin::HTML versions through 3.102 for Perl allows HTML
| and JavaScript to be injected.  The html_filter function did not
| escape single quotes. HTML attributes inside of single quotes could
| be have code injected.  For example, the variable "var" in      <a
| id='ref' title='[% var | html %]'>  would not be properly escaped.
| An attacker could insert some limited HTML and JavaScript, for
| example,      var = " ' onclick='while (true) { alert(1) }'"  Note
| that arbitrary HTML and JavaScript would be difficult to inject,
| because angle brackets, ampersands and double-quotes would still be
| escaped.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-5090
https://www.cve.org/CVERecord?id=CVE-2026-5090
[1] https://lists.security.metacpan.org/cve-announce/msg/40218729/
[2] https://github.com/abw/Template2/issues/327
[3] https://github.com/cpan-authors/Template2/pull/337
[4] https://github.com/cpan-authors/Template2/commit/11c78a7a771d4af505efeb754a0b8775689c2eae

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1137160#8
Date:
2026-05-20 14:48:08 UTC
From:
To:
Hello,

Bug #1137160 in libtemplate-perl reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/perl-team/modules/packages/libtemplate-perl/-/commit/be640f2362b4f655c2e7af1c00fd80d14ab4adfe
------------------------------------------------------------------------
Add patch from upstream Git to escape single quotes in HTML filter.

Fixes CVE-2026-5090: allows HTML and JavaScript to be injected

Closes: #1137160
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1137160

#1137160#15
Date:
2026-05-20 15:04:06 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libtemplate-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1137160@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libtemplate-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 20 May 2026 16:44:18 +0200
Source: libtemplate-perl
Architecture: source
Version: 3.102-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Closes: 1137160
Changes:
 libtemplate-perl (3.102-3) unstable; urgency=medium
 .
   * Team upload.
   * Add patch from upstream Git to escape single quotes in HTML filter.
     Fixes CVE-2026-5090: allows HTML and JavaScript to be injected.
     (Closes: #1137160)
Checksums-Sha1:
 05340e7ad61c6cf293d2787288916e2a8eba7fdd 2527 libtemplate-perl_3.102-3.dsc
 2c3e0883d9d27e9dbc48402e78cd8138ad1dd6e6 6252 libtemplate-perl_3.102-3.debian.tar.xz
 6420d1bfa8981e8371fb43d4352ebcc8d27de73a 1255748 libtemplate-perl_3.102-3.git.tar.xz
 9ff3147077e13a8402d6bbd0867c6763b5695d43 17384 libtemplate-perl_3.102-3_source.buildinfo
Checksums-Sha256:
 eeeb01a94fc734e101439d9b830e0a725cb95761da209f9b8c4397cddc574c8a 2527 libtemplate-perl_3.102-3.dsc
 e586bc5504b8167735683a750802098a9e51e930a48397bffc4bff05eb0aa788 6252 libtemplate-perl_3.102-3.debian.tar.xz
 2ebf2f151bc2149010b6cd31116f3f7d09d2e20ab277b465a9d3bc663e39f9a0 1255748 libtemplate-perl_3.102-3.git.tar.xz
 1f6d6ad0f84348ad3bf358cc254f8f9175b89754bbd014f5ab9d777812ef561e 17384 libtemplate-perl_3.102-3_source.buildinfo
Files:
 b10c352d25d4a5d5bd26f8ce6e8e969c 2527 perl optional libtemplate-perl_3.102-3.dsc
 e3d7012b3384d0765e758ef44ae1a6ed 6252 perl optional libtemplate-perl_3.102-3.debian.tar.xz
 0bfacd30298c4c9ac18d001f68101369 1255748 perl None libtemplate-perl_3.102-3.git.tar.xz
 fd987ae936bd0a201989cdb15d75087e 17384 perl optional libtemplate-perl_3.102-3_source.buildinfo
Git-Tag-Info: tag=e6d12d8b53ae5957a7de0865cbd3359b226a7475 fp=d1e1316e93a760a8104d85fabb3a68018649aa06
Git-Tag-Tagger: gregor herrmann <gregoa@debian.org>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmoNyhoACgkQYG0ITkaD
wHk1BRAAjk8ZOKAdZnzaGRD35b73VUoH268b3iWAqx3wBRFijifkDO4shyQP+2fD
grC9IDpW5AEx9r+l00iOhm/2NpLjQhfCnMposMu0gi//foQfk3sYxR3jDgjFEc+F
IJwMhq1vh9rYio36w9N5DKKveoXtU2IT4DoM5bNXyJpNlIkUlPNOJGCaWhpMWPP+
MS52dqxnnCrpWVHq3oSQ1+zFD25JcZ3TQYqwJz3JcYa+dPHfBB2th+VMaIywfDlb
0dmU2kZj2xIffuwL1ieuW5xR98/DysZve/6xZB+VGRiofht3efp2ME3Ni7R3Z1HT
JkLkgIMoh83x29Glqrq88aCyLyzmUoVBt88JYAygn5I/gQYvr05C6pFWrDbt18vM
khb5e+Y6T3eG3tzWbw7Lwahx79kGekBiZ82LkuRCB/aOCAU9cUqgjINVIHvbMSK2
I/JSaTEE9slfAcUAuK0N2vtxzus8EDFbt4NguEeE823Pooh5xk/knD+XzDBgwj8w
Z1Ojx1TNuKGdp6gBsaf3DrAWwx5GZ1a2NMGonk6rF3o2uehJgqluIPpY7xFmkEN8
gIhXkr0IYixQhfXc2oeNeLMVpY/7KI81G7wGcbKhOD4fWm9tqJCk2WYjgGMxgyY0
7tdOQB/OyZz3YS10iDAroGvo8Km/wbla2wdVenUVjvhi7GAZ2aE=
=SNYP
-----END PGP SIGNATURE-----