Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
Defuddle: Unsanitized HTML can inject malicious code
GHSA-5mq8-78gm-pjmq
CVE-2026-30830
GHSA-5mq8-78gm-pjmq
Summary
Defuddle, a tool for cleaning up HTML pages, had a security flaw prior to version 0.9.0. An attacker could have injected malicious code into a web page by manipulating an image's alt attribute. This issue has been fixed in version 0.9.0, so update to this version or later to stay secure.
What to do
- Update defuddle to version 0.9.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | defuddle | <= 0.9.0 | 0.9.0 |
| kepano | defuddle | <= 0.9.0 | – |
Original title
Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping...
Original description
Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.
ghsa CVSS4.0
2.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026