defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag

Severity:: Low

Description

The _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping:

An attacker can use a " in the alt attribute to break out of the attribute context and inject event handlers.

Recommendation

Update the defuddle package to the latest compatible version. Followings are version details:

Affected version(s): < 0.9.0
Patched version(s): 0.9.0

References

GHSA-5mq8-78gm-pjmq
CVE-2026-30830
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes - CVE-2026-34405
Nuxt OG Image is vulnerable to Denial of Service via unbounded image dimensions - CVE-2026-34404
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
Apostrophe has stored XSS via javascript: URL in Image Widget Link - CVE-2026-45011

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; defuddle

Anything's wrong? Let us know Last updated on March 09, 2026