1. Go html/template XSS Bypass Disclosed: Atypical Script Blocks with Empty type Attribute Evade Escapers, CVE-2026-39826
A critical security bypass has been disclosed in Go's `html/template` package that enables cross-site scripting through dynamic content injection into `<script>` blocks. The vulnerability exploits how the escaper handles non-standard `type` attribute values, specifically empty strings, whitespace, and tab characters. A...