Description
Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch.
Recommendation
Update the ip-address package to the latest compatible version. Followings are version details:
- Affected version(s): <= 10.1.0
- Patched version(s): 10.1.1
References
Related Issues
- SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581
- Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html` - CVE-2026-44990
- Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
- PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - CVE-2026-41305
You might also like:
- Tags:
- npm
- ip-address
Anything's wrong? Let us know Last updated on May 13, 2026