@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a script tag into the page and execute malicious code.
{
"unresolved_ranges": [
{
"vendor_product": "emoji_button_project:emoji_button",
"cpes": [
"cpe:2.3:a:emoji_button_project:emoji_button:*:*:*:*:*:node.js:*:*"
],
"extracted_events": [
{
"fixed": "4.6.2"
}
],
"source": "CPE_RANGE"
}
]
}