CVE-2026-30830

UNKNOWN 0.0

Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.

CWE	CWE-79
Vendor	kepano
Product	defuddle
Published	Mar 7, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for kepano defuddle

Be the first to know when new unknown vulnerabilities affecting kepano defuddle are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

kepano / defuddle

< 0.9.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/kepano/defuddle/security/advisories/GHSA-5mq8-78gm-pjmq github.com: https://github.com/kepano/defuddle/commit/f154cb740ee603431b69638273af737a27156df9