Medium severity5.4OSV Advisory· Published Oct 2, 2024· Updated Jun 17, 2026
CVE-2024-9440
CVE-2024-9440
Description
Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate lists using unsanitized user-provided input may be vulnerable to cross-site scripting, resulting in attacker executed JavaScript. At this time, no patch is available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
slim-selectnpm | >= 2.0.0, < 2.9.2 | 2.9.2 |
Affected products
2- Range: v0.1.0, v0.10.0, v0.11.0, …
Patches
Vulnerability mechanics
References
7- github.com/brianvoe/slim-select/issues/564nvdExploitIssue TrackingWEB
- github.com/advisories/GHSA-qvqv-mcxr-x8qwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-9440ghsaADVISORY
- vulncheck.com/advisories/slim-select-xssnvdThird Party AdvisoryWEB
- github.com/brianvoe/slim-select/blob/e7e37e2ff90e125f846bd98d6b8f278524ead79e/src/slim-select/select.tsnvdProductWEB
- github.com/brianvoe/slim-select/commit/f8534f27d6e9bab89024d139f1c4f7555f1efd5eghsaWEB
- github.com/brianvoe/slim-select/pull/572ghsaWEB
News mentions
0No linked articles in our index yet.