Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Incorrect escaping in JavaScript template literals
DEBIAN-CVE-2026-32289
Summary
Using JavaScript template literals in specific cases could lead to incorrect content escaping, potentially allowing malicious code to be injected. This affects users of JavaScript template literals, particularly in web applications. To fix, ensure you're using template literals correctly and update your code to prevent potential security issues.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | golang-1.15 | All versions | – |
| debian | golang-1.19 | All versions | – |
| debian | golang-1.24 | All versions | – |
| debian | golang-1.24 | All versions | – |
| debian | golang-1.25 | All versions | – |
| debian | golang-1.26 | All versions | – |
Original title
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within J...
Original description
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
- https://security-tracker.debian.org/tracker/CVE-2026-32289 Vendor Advisory
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026