CVE-2026-30830 | THREATINT

Description

Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.

PUBLISHED Reserved 2026-03-05 | Published 2026-03-07 | Updated 2026-03-07 | Assigner GitHub_M

LOW: 2.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 0.9.0

affected

References

github.com/...fuddle/security/advisories/GHSA-5mq8-78gm-pjmq

github.com/...ommit/f154cb740ee603431b69638273af737a27156df9

cve.org (CVE-2026-30830)

nvd.nist.gov (CVE-2026-30830)

Download JSON