2 matches found
CVE-2026-30830 Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag
Defuddle cleans up HTML pages. Prior to version 0.9.0, the findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event...
GHSA-VJCJ-5G2R-VXQC Pandao editor.md vulnerable to XSS in IMG attributes
Pandao Editor.md 1.5.0 allows XSS via crafted attributes of an invalid IMG element...