CVE-2026-32289
Go 脆弱性の分析と軽減

概要

CVE-2026-32289 is a Cross-Site Scripting (XSS) vulnerability in Go's html/template standard library package, caused by improper context tracking and brace depth handling within JavaScript template literals. Context was not properly tracked across template branches, and template actions within JS template literals did not properly track brace depth, leading to incorrect or missing escaping of content. Affected versions are Go 1.25.x before 1.25.9 and Go 1.26.0 before 1.26.2. It was published on April 8, 2026, with a CVSS v3.1 base score of 6.1 (Medium) (GitHub Advisory, Feedly).

技術的な詳細

The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). Two distinct flaws exist in Go's html/template package: (1) template context state is not correctly propagated across conditional branches when rendering JS template literals, and (2) template actions inside JS template literals fail to track curly-brace depth, causing the template engine to apply incorrect escaping rules. An attacker who can influence data rendered inside a JS template literal in an affected Go web application can inject unescaped JavaScript, triggering XSS in the victim's browser. No authentication is required on the attacker's side, but user interaction (visiting a crafted or compromised page) is needed (GitHub Advisory, Go Vuln DB).

影響

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim user's browser session, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The scope is changed (S:C), meaning the impact extends beyond the vulnerable component to the user's browser environment. Confidentiality and integrity are both assessed as low impact, with no availability impact; however, chained with social engineering or persistent injection, the practical risk to user data and sessions can be significant (GitHub Advisory, Feedly).

エクスプロイテーションのステップ

  1. Identify a target application: Find a Go web application that uses the html/template package (versions before 1.25.9 or 1.26.2) and renders user-controlled data inside JavaScript template literals (backtick strings) within HTML templates.
  2. Craft a malicious payload: Prepare input that exploits the incorrect brace-depth or branch-context tracking — for example, input containing JS template literal syntax (e.g., ${...}) or conditional branch content that causes the template engine to skip or misapply escaping.
  3. Deliver the payload: Submit the crafted input through any user-controlled field (form input, URL parameter, API request body) that is subsequently rendered by the vulnerable template into a JS template literal context.
  4. Trigger victim execution: Induce a victim user to visit the page rendering the injected content (e.g., via phishing link or stored XSS in a shared resource), causing the unescaped JavaScript to execute in their browser.
  5. Achieve objective: The executed script can steal session cookies, perform actions on behalf of the user, exfiltrate sensitive page data, or redirect the user to a malicious site (GitHub Advisory, Go Vuln DB).

妥協の兆候

  • Logs: Web server access logs showing requests with payloads containing JS template literal syntax (e.g., ${, backtick characters, or encoded equivalents) in user-supplied parameters rendered by Go html/template.
  • Network: Unexpected outbound requests from victim browsers to attacker-controlled domains following interaction with affected pages; unusual JavaScript-initiated HTTP requests in browser network logs.
  • Application Behavior: Unexpected JavaScript execution or error messages in browser consoles related to template rendering; reports from users of unexpected redirects or pop-ups on Go-based web applications.
  • File System: If the XSS is stored, look for persisted malicious payloads containing ${...} or backtick-delimited strings in application databases or user-generated content stores.

軽減策と回避策

Upgrade Go to version 1.25.9 (for the 1.25.x branch) or 1.26.2 (for the 1.26.x branch) to receive the fix (Go Vuln DB, Go CL). Organizations should audit all Go applications using html/template that render user-controlled data within JavaScript template literals and prioritize upgrading the Go toolchain. As a temporary workaround, avoid rendering untrusted user input directly inside JS template literals in Go templates until the patch is applied. Downstream distributions (openSUSE, Amazon Linux 2, Amazon Linux 2023) have also released updated packages incorporating the fix (openSUSE Advisory).

コミュニティの反応

The Go team announced the vulnerability via the golang-announce mailing list and published a fix through the official Go change list (golang-announce). The vulnerability was discussed on oss-security mailing lists and picked up by Linux security news outlets covering the openSUSE and SUSE package updates (oss-sec). Downstream projects such as Portainer, oauth2-proxy, rclone, and CoreDNS have issued updated releases incorporating the patched Go version. Social media activity on Bluesky and Mastodon was limited, reflecting the moderate severity and lack of active exploitation.

関連情報


ソースこのレポートは AI を使用して生成されました

関連 Go 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2023-54365HIGH8.7
  • Go logoGo
  • traefik
いいえはいJun 23, 2026
CVE-2026-39822HIGH7.8
  • Go logoGo
  • argo-events
いいえはいJul 08, 2026
CVE-2026-42504HIGH7.5
  • Go logoGo
  • victoriametrics-operator-fips
いいえはいJun 02, 2026
CVE-2026-42505MEDIUM5.3
  • Go logoGo
  • gcp-compute-persistent-disk-csi-driver-fips-1.26
いいえはいJul 08, 2026
CVE-2026-42507MEDIUM5.3
  • Go logoGo
  • grafana-pyroscope-1.16
いいえはいJun 02, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者