CVE-2022-35144
Description
Renato v0.17.0 was discovered to contain a cross-site scripting (XSS) vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ranetonpm | < 0.17.1 | 0.17.1 |
Affected products
1Patches
Vulnerability mechanics
Root cause
"Insufficient sanitization of user-supplied search input allows stored/reflected cross-site scripting (XSS)."
Attack vector
An attacker can inject a malicious search query containing HTML/JavaScript payloads (e.g. `
Affected code
The vulnerability is in the search route (`app/routes/search.route.js`). The original code used `_s.stripTags()` to remove `
What the fix does
The patch introduces a new `sanitize.js` function that calls `validator.blacklist()` to remove dangerous characters (`&'"/>
Preconditions
- inputThe application must be using the search functionality with user-supplied input in the `search` query parameter
- authNo authentication is required to access the search endpoint
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-vc68-6x72-w22fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-35144ghsaADVISORY
- raneto.comghsaWEB
- raneto.commitrex_refsource_MISC
- cwe.mitre.org/data/definitions/79.htmlghsax_refsource_MISCWEB
- gainsec.com/2022/08/04/cve-2022-35142-cve-2022-35143-cve-2022-35144ghsaWEB
- gainsec.com/2022/08/04/cve-2022-35142-cve-2022-35143-cve-2022-35144/mitrex_refsource_MISC
- github.com/gilbitron/Raneto/releasesmitrex_refsource_MISC
- github.com/ryanlelek/Raneto/pull/370ghsaWEB
- github.com/ryanlelek/Raneto/releases/tag/0.17.1ghsaWEB
News mentions
0No linked articles in our index yet.