Security Advisory

CVE-2026-30830

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-07 05:49:15

Last updated 2026-03-10 17:58:06

Assigner GitHub_M

State PUBLISHED

Description

Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.

← Browse all CVEs View on cve.org ↗