CVE-2016-10547

MEDIUM

Nunjucks < 2.4.2 - Cross-Site Scripting via Array Key Bypass

Title source: llm

Description

Nunjucks is a full featured templating engine for JavaScript. Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as `name[]=<script>alert(1)</script>`, it is possible to bypass autoescaping and inject content into the DOM.

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/matt-/nunjucks_test

View Exploit ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://github.com/mozilla/nunjucks/issues/835

Exploit, Third Party Advisory x_refsource_misc

https://nodesecurity.io/advisories/147

Scores

CVSS v3 6.1

EPSS 0.0038

EPSS Percentile 59.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

mozilla/nunjucks < 2.4.2

npm/nunjucks 0 - 2.4.3npm

Published May 31, 2018

Tracked Since Feb 18, 2026