KrakenD allowed us to focus on our backend and deploy a secure and performant system in a few days. After more than 2 years of use in production and 0 crash or malfunction, it also has proven its robustness
Jonathan Muller
CTO / Openroom Inc.
CVE-2026-39823
Medium
False Positivehtml/template package to
generate HTML responses. The vulnerable code path in html/template is never
invoked during normal KrakenD operation.Addressed through routine dependency maintenance in CE 2.13.5 and EE 2.13.3.
Component
Go standard library (html/template)
Disclosed
May 11, 2026
html/template package fails to properly escape URLs in the content
attribute of <meta> tags in certain template contexts, allowing an attacker
controlling the template input to inject arbitrary URLs or JavaScript
pseudo-protocol handlers into rendered HTML.Stay up to date with KrakenD releases and important updates