Go html/template XSS Bypass Disclosed: Atypical Script Blocks with Empty type Attribute Evade Escapers, CVE-2026-39826

A critical security bypass has been disclosed in Go's `html/template` package that enables cross-site scripting through dynamic content injection into `<script>` blocks. The vulnerability exploits how the escaper handles non-standard `type` attribute values, specifically empty strings, whitespace, and tab characters. Attackers can bypass standard output escaping by embedding malicious content within these atypical script contexts, allowing code execution in victim browsers when rendered pages contain user-supplied data.

The escaper flaw was identified in three specific attack patterns: `<script type="">{{.}}</script>`, `<script type=" ">{{.}}</script>`, and `<script type="\t">{{.}}</script>`. In each case, the escaper fails to properly sanitize content inserted via Go template syntax, creating a direct injection vector. The issue was discovered and reported by security researcher Mundur, operating under the alias M0nd0R. The vulnerability has been assigned CVE-2026-39826 and is tracked under internal reference b/496225621. The flaw has been classified as a public-track vulnerability, indicating broader visibility and potential exposure across affected deployments.

The vulnerability raises significant concerns for applications relying on `html/template` to safely render HTML containing dynamic user content. Developers using this package for output encoding should evaluate their exposure, particularly in contexts where script blocks may be rendered with variable or user-controlled attributes. Patches or mitigating guidance from the Go security team are expected to follow standard disclosure timelines for publicly tracked vulnerabilities. Organizations are advised to monitor official Go security channels for updates and apply recommended remediation measures once available.