KrakenD played a vital role in our API transformation journey by protecting our business platforms boundary and exposing the business capabilities in a standard way to both internal and external audience.
Stefano Leopizzi
Enterprise Architecture / lastminute.com
CVE-2026-39826
Medium
False Positivehtml/template package to
generate HTML responses. The vulnerable code path in html/template is never
invoked during normal KrakenD operation.Addressed through routine dependency maintenance in CE 2.13.5 and EE 2.13.3.
Component
Go standard library (html/template)
Disclosed
May 11, 2026
html/template package contains an escaper bypass where certain template
patterns allow injecting unescaped content into HTML output. Applications using
these specific template constructs to render user-controlled data are vulnerable
to cross-site scripting attacks.Stay up to date with KrakenD releases and important updates