CVE-2026-30830

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-30830

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30830.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-30830

Aliases

GHSA-5mq8-78gm-pjmq

Published

2026-03-07T05:49:15.964Z

Modified

2026-04-02T13:23:16.848202Z

Severity

2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P CVSS Calculator

Summary

Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag

Details

Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30830.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/kepano/defuddle

Affected ranges

Type: GIT
Repo: https://github.com/kepano/defuddle
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

440f9e8ca92a7be7871aeb07200190328340dbbf

Affected versions

0.*

0.1.1

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.6

0.3.7

0.3.8

0.4.0

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.7.0

0.8.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30830.json"