Hide Files on GitHub options.js addEventListener cross site scripting
Description
A stored XSS vulnerability in Hide Files on GitHub up to 2.x allows remote attackers to inject arbitrary web scripts via the addEventListener function in extension/options.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Hide Files on GitHub up to 2.x allows remote attackers to inject arbitrary web scripts via the addEventListener function in extension/options.js.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the Hide Files on GitHub browser extension, affecting versions up to 2.x. The flaw is located in the addEventListener function within the file extension/options.js. The manipulation of input leads to potential code injection, allowing execution of arbitrary HTML and script code in the context of the extension's options page. The issue arises from insufficient sanitization of user-supplied input, specifically in how the extension handles regular expression patterns entered by the user [1][2].
Exploitation
The attack can be initiated remotely, but requires some level of user interaction. An attacker would need to convince a victim to visit a specially crafted page or inject a malicious script that interacts with the extension's options page. The vulnerability is classified as a self-XSS, meaning the attacker cannot directly inject into another user's session without some form of social engineering or local access. However, if the victim is tricked into copying and pasting malicious input into the extension's settings, the injected script would run in the context of the extension's privileged options page [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the Hide Files on GitHub extension, potentially gaining access to the extension's storage, performing actions on behalf of the user on GitHub, or extracting sensitive data such as API tokens or repository filters. The privacy of user settings and HTTP communications could be compromised if the attacker exfiltrates stored data [1][2].
Mitigation
The vulnerability was addressed in version 3.0.0 of the extension, released alongside an associated commit (9de0c57) that implements HTML escaping via an inline version of the escape-goat package. Users are strongly recommended to upgrade to version 3.0.0 or later. No workarounds are provided for earlier versions, and the repository has since been archived as read-only. There is no indication that this CVE is on the KEV list [1][2][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitHub/Hide Filesdescription
- Range: <3.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application failed to properly escape user-supplied input before rendering it in an HTML context, leading to cross-site scripting."
Attack vector
An attacker can inject malicious script into the regular expression field. This script is then rendered by the application without proper sanitization, allowing it to be executed in the context of the user's browser. The attack may be initiated remotely by a user interacting with the affected extension [ref_id=1].
Affected code
The vulnerability resides in the `extension/options.js` file. The `setValidity` function, which is responsible for setting custom validity messages for the `regexField`, was updated to use a new sanitization function `escapeTag` to prevent cross-site scripting [ref_id=1].
What the fix does
The patch introduces a new `escapeHTML` function and utilizes it within the `escapeTag` function. This ensures that special HTML characters in user input are properly escaped before being displayed. Specifically, the `setValidity` function now uses `escapeTag` to sanitize the input provided to `regexField.setCustomValidity`, preventing script execution [ref_id=1].
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/sindresorhus/hide-files-on-github/commit/9de0c57df81db1178e0e79431d462f6d9842742emitrepatch
- github.com/sindresorhus/hide-files-on-github/releases/tag/3.0.0mitrepatch
- github.com/sindresorhus/hide-files-on-github/pull/73mitreissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.