CVE-2026-30830
Received Received - Intake
HTML Injection in Defuddle _findContentBySchemaText Allows XSS

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30830
EUVD
EUVD-2026-10118
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kepano defuddle to 0.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30830 is a moderate severity cross-site scripting (XSS) vulnerability in the npm package "defuddle" (versions ≀ 0.7.0). The issue occurs in the `_findContentBySchemaText` method, which constructs an HTML string by directly inserting image `src` and `alt` attributes without properly escaping them.'}, {'type': 'paragraph', 'content': 'Because the `alt` attribute value is inserted raw, an attacker can include a double quote (`"`) in the `alt` attribute to break out of the attribute context and inject additional HTML attributes, such as event handlers like `onload`. This allows execution of arbitrary JavaScript when the HTML is rendered.'}, {'type': 'paragraph', 'content': 'For example, an attacker-supplied image tag with an `alt` attribute containing a quote and an `onload` event handler can cause the injected event handler to execute, potentially stealing cookies or performing other malicious actions.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the HTML string is constructed via string interpolation rather than using safe DOM APIs that automatically escape attribute values.'}, {'type': 'paragraph', 'content': 'This issue was patched in version 0.9.0 by avoiding string interpolation and instead using DOM methods to create elements and set attributes safely.'}] [1]

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks in any application that renders HTML output generated by defuddle, such as browser extensions, web clippers, or reader modes.

An attacker can craft malicious HTML with a specially crafted `alt` attribute in an image tag to inject and execute arbitrary JavaScript code.

The impact includes execution of attacker-controlled scripts in the context of the vulnerable application, which can lead to theft of sensitive information like cookies, session hijacking, or other malicious actions.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting HTML content generated by the defuddle package, specifically looking for image tags where the alt attribute contains unescaped double quotes that allow injection of event handlers such as onload.'}, {'type': 'paragraph', 'content': 'A practical detection approach is to search for HTML output containing image tags with suspicious alt attributes that include quotes and event handlers.'}, {'type': 'list_item', 'content': 'Use grep or similar tools to scan HTML files or logs for patterns like: <img[^>]*alt=["\'][^"\']*"[^>]*onload='}, {'type': 'list_item', 'content': 'Example command to find suspicious img tags in HTML files: grep -E \'<img[^>]*alt=["\'][^"\']*"[^>]*onload=\' *.html'}, {'type': 'list_item', 'content': 'Monitor network traffic for HTML responses containing image tags with alt attributes that include double quotes followed by event handlers.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation is to upgrade the defuddle package to version 0.9.0 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch avoids direct string interpolation of image src and alt attributes and instead uses DOM API methods to safely set attributes, ensuring proper escaping.'}, {'type': 'paragraph', 'content': "If upgrading is not immediately possible, sanitize HTML output by removing event handler attributes (those starting with 'on') and dangerous elements such as <script>, <style>, <object>, and others as described in the security patch."}, {'type': 'list_item', 'content': 'Apply the sanitization steps implemented in the patch: remove script tags (except math scripts), strip event handler attributes, remove dangerous iframe attributes like srcdoc, and remove elements like <object>, <embed>, and <base>.'}, {'type': 'list_item', 'content': 'Review and sanitize any HTML content generated by defuddle before rendering it in browsers or applications.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30830. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart