CVE-2026-34231

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-34231
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34231.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34231
Aliases
Published
2026-03-31T15:33:17.644Z
Modified
2026-04-02T13:29:33.878619Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Slippers: Cross-Site Scripting (XSS) in `attrs` Template Tag
Details

Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript into the rendered page. This issue has been patched in version 0.6.3.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34231.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/mixxorz/slippers

Affected ranges

Type
GIT
Repo
https://github.com/mixxorz/slippers
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
36f596ef8ca594f0e004113ab22600d02a5cb0e5
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.6.3"
        }
    ]
}

Affected versions

0.*
0.3.0
0.3.1
0.3.2
0.4.0
0.5.0
0.5.0-alpha.0
0.6.0
0.6.0-alpha.0
0.6.1
0.6.1-alpha.0
0.6.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34231.json"