Skip to main content

Defuddle CVE-2026-30830

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-07 security-advisories@github.com GHSA-5mq8-78gm-pjmq
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
PoC Detected
Mar 11, 2026 - 18:50 vuln.today
Public exploit code
Patch released
Mar 11, 2026 - 18:50 nvd
Patch available
CVE Published
Mar 07, 2026 - 06:16 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.

AnalysisAI

Defuddle versions prior to 0.9.0 fail to properly escape image attributes in HTML processing, allowing attackers to inject malicious event handlers through specially crafted alt text containing quote characters. Public exploit code exists for this cross-site scripting vulnerability. The vulnerability affects all users of Defuddle before version 0.9.0, and a patch is available.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Defuddle. Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 0.9.0.. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Share

CVE-2026-30830 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy