Medium severity6.1NVD Advisory· Published Jan 23, 2017· Updated May 13, 2026
CVE-2015-8862
CVE-2015-8862
Description
mustache package before 2.2.1 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mustachenpm | < 2.2.1 | 2.2.1 |
Affected products
1- cpe:2.3:a:mustache.js_project:mustache.js:*:*:*:*:*:node.js:*:*Range: <=2.2.0
Patches
1378bcca8a5cfImprove HTML escaping.
3 files changed · +6 −4
mustache.js+4 −2 modified@@ -63,11 +63,13 @@ '>': '>', '"': '"', "'": ''', - '/': '/' + '/': '/', + '`': '`', + '=': '=' }; function escapeHtml (string) { - return String(string).replace(/[&<>"'\/]/g, function fromEntityMap (s) { + return String(string).replace(/[&<>"'`=\/]/g, function fromEntityMap (s) { return entityMap[s]; }); }
test/_files/escaped.js+1 −1 modified@@ -2,5 +2,5 @@ title: function () { return "Bear > Shark"; }, - entities: "" \"'<>/" + entities: "" \"'<>`=/" })
test/_files/escaped.txt+1 −1 modified@@ -1,2 +1,2 @@ <h1>Bear > Shark</h1> -And even &quot; "'<>/, but not " "'<>/. +And even &quot; "'<>`=/, but not " "'<>`=/.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- nodesecurity.io/advisories/62nvdExploitPatchVendor Advisory
- www.openwall.com/lists/oss-security/2016/04/20/11nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-w3w8-37jv-2c58ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-8862ghsaADVISORY
- www.securityfocus.com/bid/96436nvdWEB
- github.com/janl/mustache.js/commit/378bcca8a5cfe4058f294a3dbb78e8755e8e0da5ghsaWEB
- www.npmjs.com/advisories/62ghsaWEB
- www.tenable.com/security/tns-2016-18nvdWEB
News mentions
0No linked articles in our index yet.