CVE-2026-30830

MEDIUM

Defuddle <0.9.0 - XSS

Title source: llm

Description

Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.

References (2)

Scores

CVSS v3 6.1
EPSS 0.0002
EPSS Percentile 4.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
kepano/defuddle < 0.9.0
npm/defuddle 0 - 0.9.0npm
Published Mar 07, 2026
Tracked Since Mar 07, 2026