CVE-2018-16468
Description
In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Loofah gem through v2.2.2 fails to sanitize JavaScript in crafted SVG elements, leading to XSS when republished.
Vulnerability
The Loofah gem for Ruby, versions through v2.2.2, contains a cross-site scripting (XSS) vulnerability. When a crafted SVG element is processed by the sanitizer and then republished, unsanitized JavaScript may appear in the output. Affected versions are Loofah < v2.2.3. [1][2][3]
Exploitation
An attacker must craft an SVG element that bypasses the sanitizer. The element must be republished (e.g., stored and later displayed). No authentication is required if the application uses Loofah to sanitize user input. The attacker can inject arbitrary JavaScript that executes in the victim's browser. [3]
Impact
Successful exploitation allows arbitrary JavaScript execution in the victim's browser, leading to XSS. This can result in data theft, session hijacking, or defacement. [2][3]
Mitigation
Upgrade to Loofah v2.2.3, released on 2018-10-30. No workarounds are documented. The vulnerability is not listed on CISA KEV. [3]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
loofahRubyGems | < 2.2.3 | 2.2.3 |
Affected products
9- ghsa-coords9 versionspkg:gem/loofahpkg:rpm/opensuse/rmt-server&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.2-rubygem-loofah&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-loofah&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015pkg:rpm/suse/rubygem-loofah&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/rubygem-loofah&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/rubygem-loofah&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-loofah&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
< 2.2.3+ 8 more
- (no CPE)range: < 2.2.3
- (no CPE)range: < 2.6.13-1.1
- (no CPE)range: < 2.19.1-1.2
- (no CPE)range: < 2.14.0-1.1
- (no CPE)range: < 1.1.1-3.13.1
- (no CPE)range: < 2.0.2-3.5.1
- (no CPE)range: < 2.2.2-4.3.1
- (no CPE)range: < 2.0.2-3.5.1
- (no CPE)range: < 2.0.2-3.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-g4xq-jx4w-4cjvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16468ghsaADVISORY
- www.debian.org/security/2019/dsa-4364ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/flavorjones/loofah/issues/154ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.