defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag

Severity:: Low

Description

The _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping:

An attacker can use a " in the alt attribute to break out of the attribute context and inject event handlers.

Recommendation

Update the defuddle package to the latest compatible version. Followings are version details:

Affected version(s): < 0.9.0
Patched version(s): 0.9.0

References

GHSA-5mq8-78gm-pjmq
CVE-2026-30830
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function - CVE-2026-26861
CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868

Tags:: npm; defuddle

Anything's wrong? Let us know Last updated on March 09, 2026