Description
KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML.
Recommendation
Update the katex package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.11.0, < 0.16.10
- Patched version(s): 0.16.10
References
Related Issues
- KaTeX \htmlData does not validate attribute names - CVE-2025-23207
- KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols - CVE-2024-28246
- Vite's `server.fs.deny` did not deny requests for patterns with directories. - CVE-2024-31207
- Strapi: Password Reset Does Not Revoke Existing Refresh Sessions - @strapi/plugin-users-permissions - CVE-2026-22706
You might also like:
- Tags:
- npm
- katex
Anything's wrong? Let us know Last updated on March 25, 2024