VYPR

npm package

defuddle

pkg:npm/defuddle

Vulnerabilities (1)

  • CVE-2026-30830Mar 7, 2026
    affected < 0.9.0fixed 0.9.0

    Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute contex