Improper Neutralization of Input During Web Page Generation in Select2
- Severity:
- Medium
Description
In Select2 through 4.0.5, as used in Snipe-IT and other products, rich selectlists allow XSS. This affects use cases with Ajax remote data loading when HTML templates are used to display listbox data.
Recommendation
Update the select2 package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.0.6
- Patched version(s): 4.0.6
References
Related Issues
- HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
- tarteaucitron.js allows UI manipulation via unrestricted CSS injection - CVE-2025-31138
- Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) - Vulnerability
- Predictable results in nanoid generation when given non-integer values - CVE-2024-55565
- Tags:
- npm
- select2
Anything's wrong? Let us know Last updated on January 27, 2023