Moderate severityNVD Advisory· Published Apr 29, 2022· Updated Sep 17, 2024
Cross-site Scripting (XSS)
CVE-2022-25854
Description
This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@yaireo/tagifynpm | < 4.9.8 | 4.9.8 |
Affected products
1Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-pxpf-v376-7xx5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25854ghsaADVISORY
- bsg.tech/blog/cve-2022-25854-stored-xss-in-yaireo-tagify-npm-moduleghsaWEB
- bsg.tech/blog/cve-2022-25854-stored-xss-in-yaireo-tagify-npm-module/mitrex_refsource_MISC
- github.com/yairEO/tagify/commit/198c0451fad188390390395ccfc84ab371def4c7ghsax_refsource_MISCWEB
- github.com/yairEO/tagify/issues/988ghsax_refsource_MISCWEB
- github.com/yairEO/tagify/releases/tag/v4.9.8ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-YAIREOTAGIFY-2404358ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.