VYPR
Low severityNVD Advisory· Published Mar 7, 2026· Updated Mar 10, 2026

Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag

CVE-2026-30830

Description

Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
defuddlenpm
< 0.9.00.9.0

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.