cvedb.io
CVE-2026-30830
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2026-03-07T06:16:11.163 · Last modified 2026-06-17T10:32:59.390

Summary

Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.

Affected products

kepano — defuddle

Does this affect you?

Add your gear to cvedb and we'll alert you only when kepano ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.