Cross-Site Scripting in vant

Severity:: High

Description

Versions of vant prior to 2.1.8 are vulnerable to Cross-Site Scripting. The text value of the Picker component column is not sanitized, which may allow attackers to execute arbitrary JavaScript in a victim’s browser.

Recommendation

Update the vant package to the latest compatible version. Followings are version details:

Affected version(s): < 2.1.8
Patched version(s): 2.1.8

References

GHSA-9xr8-8hmc-389f
www.npmjs.com
snyk.io
CWE-79
OWASP 2021-A3

Related Issues

Code Injection in node-rules - CVE-2020-7609
Command Injection in lodash - CVE-2021-23337
gifplayer XSS vulnerability - CVE-2025-31128
Prototype pollution in gsap - CVE-2020-28478

Tags:: npm; vant

Anything's wrong? Let us know Last updated on January 09, 2023