11 matches found
CVE-2026-30830
Defuddle cleans up HTML pages. Prior to version 0.9.0, the findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event...
CVE-2026-30830
Defuddle cleans up HTML pages. Prior to version 0.9.0, the findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event...
CVE-2026-30830
Defuddle cleans up HTML pages. Prior to version 0.9.0, the findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event...
CVE-2026-30830 Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag
Defuddle cleans up HTML pages. Prior to version 0.9.0, the findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event...
CVE-2026-30830 Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag
Defuddle cleans up HTML pages. Prior to version 0.9.0, the findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event...
CVE-2026-30830 Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag
Defuddle cleans up HTML pages. Prior to version 0.9.0, the findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event...
CVE-2026-30830
Summary of technical details (Defuddle CVE-2026-30830): The vulnerability arises in the findContentBySchemaText path of Defuddle (src/defuddle.ts) where image src and alt attributes are interpolated into HTML via a string template without escaping. If the image’s alt attribute contains a quotatio...
defuddle 跨站脚本漏洞
Defuddle is a web content extraction and cleaning tool developed by Steph Ango. Versions of Defuddle prior to 0.9.0 contained a cross-site scripting vulnerability. This vulnerability arose from the findContentBySchemaText method, which directly inserted image src and alt attributes into HTML...
Cross-site Scripting (XSS)
Overview defuddle is an Extract article content and metadata from web pages. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the findContentBySchemaText fallback in src/defuddle.ts. An attacker can execute arbitrary scripts in consuming applications extensions,...
GHSA-5MQ8-78GM-PJMQ defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag
Summary The findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping: typescript html += ; An attacker can use a " in the alt attribute to break out of the attribute context and inject event handlers. This is a...
CVE-2026-30830
creationtimestamp| type| source ---|---|--- 2026-03-05 19:17:42+00:00| published-proof-of-concept| https://github.com/kepano/defuddle/security/advisories/GHSA-5mq8-78gm-pjmq...