SpecifyJS CVE-2026-50290
MEDIUMSeverity by source
AC:H reflects the mandatory legacy browser prerequisite; S:C applies because XSS crosses from server rendering into the victim browser context; A:N as availability is unaffected.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
1DescriptionCVE.org
Finding
Location: core/src/server/render-to-string.ts:307-311
CSS value sanitization stripped expression( and url(javascript: using simple regex, but could be bypassed with CSS unicode escapes (\65xpression(), null bytes, or CSS comments (exp/**/ression().
Mitigating Factor: These CSS injection vectors only work in legacy browsers (IE6-IE10). SpecifyJS targets modern browsers.
Status
Fixed in v0.2.136 - CSS sanitization now normalizes unicode escapes and strips CSS comments before pattern matching. Also checks for behavior:, -moz-binding, and -o-link patterns.
AnalysisAI
CSS injection sanitization bypass in SpecifyJS's server-side render-to-string function exposes applications to cross-site scripting when the library processes attacker-controlled CSS values. The sanitizer in core/src/server/render-to-string.ts (lines 307-311) used naive regex to block patterns like 'expression(' and 'url(javascript:' without first normalizing the input, allowing bypass via CSS unicode escapes (e.g., \65xpression()), null bytes, or CSS comments (e.g., exp//ression()). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concurrent conditions: first, attacker-controlled input must reach the CSS value sanitization path in render-to-string.ts - meaning the application uses SpecifyJS to render user-supplied or externally sourced CSS values server-side; second, the victim's browser must be Internet Explorer 6, 7, 8, 9, or 10, as CSS expression() evaluation is an IE-proprietary feature not implemented in any modern browser (Chrome, Firefox, Safari, Edge). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score was provided for this CVE, so all metric assessments are inferred from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits input containing a CSS value with a unicode-obfuscated expression such as '\65xpression(alert(document.cookie))' or the comment-interleaved form 'exp/**/ression(fetch(attacker.com))'. SpecifyJS's render-to-string function processes this value, the regex sanitizer fails to recognize the obfuscated pattern, and the raw CSS is emitted into the server-rendered HTML. … |
| Remediation | Upgrade @asymmetric-effort/specifyjs to v0.2.136 or later, which corrects the sanitization logic by normalizing CSS unicode escapes and stripping CSS comments before pattern matching. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-93q6-wwjh-jc6h