VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 1, 2019· Updated Aug 5, 2024

CVE-2018-16481

CVE-2018-16481

Description

Cross-site scripting (XSS) vulnerability in html-page library <=2.1.1 allows execution of arbitrary JavaScript via unsanitized file paths.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in html-page library <=2.1.1 allows execution of arbitrary JavaScript via unsanitized file paths.

## Vulnerability html-page versions <=2.1.1 contain a stored XSS vulnerability. The library fails to sanitize file paths before rendering them in the browser, allowing injection of arbitrary JavaScript code. The issue is present in all versions up to and including 2.1.1.

Exploitation

An attacker can craft a malicious URL or file path containing JavaScript code. When a user uses the vulnerable library to render an HTML page with such a path, the script executes in the user's browser. No authentication is required, as it relies on user interaction (rendering the page).

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of cookies, session tokens, or other sensitive information, or perform actions on behalf of the user.

Mitigation

The vulnerability is fixed in version 2.1.2. Users should upgrade to 2.1.2 or later. No workarounds are documented. The issue was reported via HackerOne [1].

References
  1. NVD - CVE-2018-16481

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
html-pagesnpm
<= 3.1.0

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.