Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-23026

Good to know:

icon
icon

Date: January 13, 2025

jte (Java Template Engine) is a secure and lightweight template engine for Java and Kotlin. In affected versions Jte HTML templates with "script" tags or script attributes that include a Javascript template string (backticks) are subject to XSS. The "javaScriptBlock" and "javaScriptAttribute" methods in the "Escape" class do not escape backticks, which are used for Javascript template strings. Dollar signs in template strings should also be escaped as well to prevent undesired interpolation. HTML templates rendered by Jte's "OwaspHtmlTemplateOutput" in versions less than or equal to "3.1.15" with "script" tags or script attributes that contain Javascript template strings (backticks) are vulnerable. Users are advised to upgrade to version 3.1.16 or later to resolve this issue. There are no known workarounds for this vulnerability.

Severity Score

Related Resources (7)

https://github.com/casid/jte/commit/a6fb00d53c7b8dbb86de933215dbe1b9191a57f1
https://nvd.nist.gov/vuln/detail/CVE-2025-23026
https://github.com/casid/jte/blob/main/jte-runtime/src/main/java/gg/jte/html/escape/Escape.java#L43-L83
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#description
https://github.com/casid/jte/security/advisories/GHSA-vh22-6c6h-rm8q
https://github.com/casid/jte
https://www.mend.io/vulnerability-database/CVE-2025-23026

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Escape, Meta, or Control Sequences

CWE-150

Top Fix

icon

Upgrade Version

Upgrade to version gg.jte:jte-runtime:3.1.16

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us