Context was not properly tracked across template branches for JS template
literals, leading to possibly incorrect escaping of content when branches were
used.
Additionally template actions within JS template literals did not properly track
the brace depth, leading to incorrect escaping being applied.
These issues could cause actions within JS template literals to be incorrectly
or improperly escaped, leading to XSS vulnerabilities.
This only affects templates that use template actions within JS template literals.
This is CVE-2026-32289 and Go issue https://go.dev/issue/78331.
This is a PRIVATE issue for CVE-2026-32289, tracked in http://b/491530416 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3882.
/cc @golang/security and @golang/release
Context was not properly tracked across template branches for JS template
literals, leading to possibly incorrect escaping of content when branches were
used.
Additionally template actions within JS template literals did not properly track
the brace depth, leading to incorrect escaping being applied.
These issues could cause actions within JS template literals to be incorrectly
or improperly escaped, leading to XSS vulnerabilities.
This only affects templates that use template actions within JS template literals.
This is CVE-2026-32289 and Go issue https://go.dev/issue/78331.
This is a PRIVATE issue for CVE-2026-32289, tracked in http://b/491530416 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3882.
/cc @golang/security and @golang/release