Description

### Summary Jte HTML templates with `script` tags or script attributes that include a Javascript template string (backticks) are subject to XSS. ### Details The `javaScriptBlock` and `javaScriptAttribute` methods in the `Escape` class ([source](https://github.com/casid/jte/blob/main/jte-runtime/src/main/java/gg/jte/html/escape/Escape.java#L43-L83)) do not escape backticks, which are used for Javascript [template strings](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#description). Dollar signs in template strings should also be escaped as well to prevent undesired interpolation. ### PoC 1. Use the [Jte Gradle Plugin](https://jte.gg/gradle-plugin/) with the following code in `src/jte/xss.jte`: ```html @param String someMessage <!DOCTYPE html> <html lang="en"> <head> <title>XSS Test</title> <script>window.someVariable = `${someMessage}`;</script> </head> <body> <h1>XSS Test</h1> </body> </html> ``` 2. Use the following Java code to demonstrate the XSS vulnerability: ```java final StringOutput output = new StringOutput(); JtexssGenerated.render(new OwaspHtmlTemplateOutput(output), null, "` + alert(`xss`) + `"); renderHtml(output); ``` ### Impact HTML templates rendered by Jte's `OwaspHtmlTemplateOutput` in versions less than or equal to `3.1.15` with `script` tags or script attributes that contain Javascript template strings (backticks) are vulnerable.

How to fix CVE-2025-23026

To remediate CVE-2025-23026, upgrade the affected package to a fixed version below.

• —upgrade to 3.1.16 or later
• —upgrade to 3.1.16 or later

Is CVE-2025-23026 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)