KrakenD allowed us to focus on our backend and deploy a secure and performant system in a few days. After more than 2 years of use in production and 0 crash or malfunction, it also has proven its robustness
Jonathan Muller
CTO / Openroom Inc.
CVE-2026-27142
Medium
· CVSS 5.3
False Positivehtml/template package to generate
HTML responses. The vulnerable code path in the html/template package is never
invoked during normal KrakenD operation.Addressed through routine dependency maintenance in CE 2.13.2 and EE 2.13.0.
Component
Go standard library (html/template)
Disclosed
Mar 9, 2026
CVSS Score
5.3
html/template package fails to properly escape URLs used in content attribute
values within <meta> HTML tags when those values are produced by template actions.
An attacker controlling the input to such a template can inject arbitrary URLs or
JavaScript pseudo-protocol handlers into the rendered HTML.Stay up to date with KrakenD releases and important updates