tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload

Severity:: Medium

Description

This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the cross-site scripting (XSS) payload.

Recommendation

Update the @yaireo/tagify package to the latest compatible version. Followings are version details:

Affected version(s): < 4.9.8
Patched version(s): 4.9.8

References

GHSA-pxpf-v376-7xx5
snyk.io
bsg.tech
CVE-2022-25854
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs - CVE-2025-62374
Making all attributes on a content-type public without noticing it (GHSA-chmr-rg2f-9jmf) 2 - CVE-2023-34093
AngularJS allows attackers to bypass common image source restrictions (GHSA-mqm9-c95h-x2p6) - CVE-2024-8373

Tags:: npm; @yaireo/tagify

Anything's wrong? Let us know Last updated on January 30, 2023