Cross-Site Scripting in bracket-template

Severity:: High

Description

All versions of bracket-template are vulnerable to stored cross-site scripting (XSS). This is exploitable when a variable passed in via a GET parameter is used in a template.

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.1.5

References

GHSA-jj6g-7j8p-7gf2
hackerone.com
www.npmjs.com
CWE-79
OWASP 2021-A3

Related Issues

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6531
CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package - CVE-2025-58064
Froala Editor Cross-site Scripting vulnerability - CVE-2023-41592

Tags:: npm; bracket-template

Anything's wrong? Let us know Last updated on January 09, 2023