CVE-2026-42338

UNKNOWN 0.0

ip-address: XSS in Address6 HTML-emitting methods

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.

CWE	CWE-79
Vendor	beaugunderson
Product	ip-address
Published	May 12, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for beaugunderson ip-address

Be the first to know when new unknown vulnerabilities affecting beaugunderson ip-address are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

beaugunderson / ip-address

< 10.1.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g