github.com/golang/go is vulnerable to Arbitrary Code Execution. JavaScript templates do not consider backticks as string delimiters and do not escape them properly, which allows an attacker to bypass sanitization and execute arbitrary code on the system.
github.com/golang/go/commit/20374d1d759bc4e17486bde1cb9dca5be37d9e52
github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
github.com/golang/go/issues/59271
github.com/golang/go/issues/59272
go.dev/cl/482079
go.dev/issue/59234
groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
pkg.go.dev/vuln/GO-2023-1703
security.gentoo.org/glsa/202311-09