Medium severity6.1NVD Advisory· Published Mar 31, 2026· Updated Apr 3, 2026

CVE-2026-34231

Description

Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript into the rendered page. This issue has been patched in version 0.6.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
slippersPyPI	< 0.6.3	0.6.3

Affected products

Djangoproject/Slippers
cpe:2.3:a:django:slippers:*:*:*:*:*:*:*:*
Range: <=0.6.2

Patches

16cc4ef4fa8a

Merge commit from fork

https://github.com/mixxorz/slippersMitchel CabuloyMar 30, 2026via ghsa

commit

2 files changed · +21 −1

slippers/templatetags/slippers.py+2 −1 modified

@@ -5,6 +5,7 @@
 from django import template
 from django.conf import settings as django_settings
 from django.template import Context, NodeList
+from django.utils.html import format_html
 from django.utils.safestring import mark_safe
 
 from slippers.conf import settings
@@ -179,7 +180,7 @@ def attr_string(key: str, value: Any):
         )
     key = key.replace("_", "-")
 
-    return f'{key}="{value}"'
+    return format_html('{}="{}"', key, value)
 
 
 class AttrsNode(template.Node):

tests/test_templatetags.py+19 −0 modified

@@ -480,6 +480,25 @@ def test_source_name(self):
 
         self.assertHTMLEqual(expected, Template(template).render(context))
 
+    def test_string_escaping(self):
+        context = Context(
+            {
+                "placeholder": '" onmouseover="alert(document.cookie)" x="',
+            }
+        )
+
+        template = """
+            <input {% attrs placeholder %}>
+        """
+
+        output = Template(template).render(context)
+
+        # The quote is escaped so the injected attribute cannot break out
+        self.assertIn(
+            'placeholder="&quot; onmouseover=&quot;alert(document.cookie)&quot; x=&quot;"',
+            output,
+        )
+
 
 class VarTagTest(TestCase):
     def test_basic(self):

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/mixxorz/slippers/commit/16cc4ef4fa8ad2f7aee30798f16c3e7b653423b2nvdPatchWEB
github.com/mixxorz/slippers/security/advisories/GHSA-w7rv-gfp4-j9j3nvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-w7rv-gfp4-j9j3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-34231ghsaADVISORY
github.com/mixxorz/slippers/releases/tag/0.6.3nvdRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000