CVE-2026-30830
HTML Injection in Defuddle _findContentBySchemaText Allows XSS
Publication date: 2026-03-07
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kepano | defuddle | to 0.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30830 is a moderate severity cross-site scripting (XSS) vulnerability in the npm package "defuddle" (versions β€ 0.7.0). The issue occurs in the `_findContentBySchemaText` method, which constructs an HTML string by directly inserting image `src` and `alt` attributes without properly escaping them.'}, {'type': 'paragraph', 'content': 'Because the `alt` attribute value is inserted raw, an attacker can include a double quote (`"`) in the `alt` attribute to break out of the attribute context and inject additional HTML attributes, such as event handlers like `onload`. This allows execution of arbitrary JavaScript when the HTML is rendered.'}, {'type': 'paragraph', 'content': 'For example, an attacker-supplied image tag with an `alt` attribute containing a quote and an `onload` event handler can cause the injected event handler to execute, potentially stealing cookies or performing other malicious actions.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the HTML string is constructed via string interpolation rather than using safe DOM APIs that automatically escape attribute values.'}, {'type': 'paragraph', 'content': 'This issue was patched in version 0.9.0 by avoiding string interpolation and instead using DOM methods to create elements and set attributes safely.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to cross-site scripting (XSS) attacks in any application that renders HTML output generated by defuddle, such as browser extensions, web clippers, or reader modes.
An attacker can craft malicious HTML with a specially crafted `alt` attribute in an image tag to inject and execute arbitrary JavaScript code.
The impact includes execution of attacker-controlled scripts in the context of the vulnerable application, which can lead to theft of sensitive information like cookies, session hijacking, or other malicious actions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting HTML content generated by the defuddle package, specifically looking for image tags where the alt attribute contains unescaped double quotes that allow injection of event handlers such as onload.'}, {'type': 'paragraph', 'content': 'A practical detection approach is to search for HTML output containing image tags with suspicious alt attributes that include quotes and event handlers.'}, {'type': 'list_item', 'content': 'Use grep or similar tools to scan HTML files or logs for patterns like: <img[^>]*alt=["\'][^"\']*"[^>]*onload='}, {'type': 'list_item', 'content': 'Example command to find suspicious img tags in HTML files: grep -E \'<img[^>]*alt=["\'][^"\']*"[^>]*onload=\' *.html'}, {'type': 'list_item', 'content': 'Monitor network traffic for HTML responses containing image tags with alt attributes that include double quotes followed by event handlers.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation is to upgrade the defuddle package to version 0.9.0 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch avoids direct string interpolation of image src and alt attributes and instead uses DOM API methods to safely set attributes, ensuring proper escaping.'}, {'type': 'paragraph', 'content': "If upgrading is not immediately possible, sanitize HTML output by removing event handler attributes (those starting with 'on') and dangerous elements such as <script>, <style>, <object>, and others as described in the security patch."}, {'type': 'list_item', 'content': 'Apply the sanitization steps implemented in the patch: remove script tags (except math scripts), strip event handler attributes, remove dangerous iframe attributes like srcdoc, and remove elements like <object>, <embed>, and <base>.'}, {'type': 'list_item', 'content': 'Review and sanitize any HTML content generated by defuddle before rendering it in browsers or applications.'}] [1, 2]