QwikSec

Security Database

CVE

CWE

Training

CVE-2026-30830

Published: Mar 7, 2026

Modified: Mar 10, 2026

PUBLISHED

Description

Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.

Vendor	Product	Versions
kepano	defuddle	affected `< 0.9.0`

Weaknesses (CWE)

References

https://github.com/kepano/defuddle/security/advisories/GHSA-5mq8-78gm-pjmq

x_refsource_CONFIRM

https://github.com/kepano/defuddle/commit/f154cb740ee603431b69638273af737a27156df9

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.