Description
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory
https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660
Scores
CVSS v3
4.9
EPSS
0.0016
EPSS Percentile
36.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-94
CWE-79
Status
published
Products (2)
npm/prismjs
0 - 1.30.0npm
prismjs/prism
< 1.29.0
Published
Mar 03, 2025
Tracked Since
Feb 18, 2026