Nixpkgs security tracker

Untriaged

Permalink CVE-2026-30830

created 1 month, 1 week ago

Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag

Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.

References

https://github.com/kepano/defuddle/security/advisories/GHSA-5mq8-78gm-pjmq x_refsource_CONFIRM
https://github.com/kepano/defuddle/commit/f154cb740ee603431b69638273af737a27156df9 x_refsource_MISC

Affected products

defuddle

==< 0.9.0

Matching in nixpkgs

pkgs.defuddle-cli

Command line utility to extract clean html, markdown and metadata from web pages

nixos-unstable 0.6.4
- nixpkgs-unstable 0.6.4
- nixos-unstable-small 0.6.4
nixos-25.11 0.6.4
- nixos-25.11-small 0.6.4
- nixpkgs-25.11-darwin 0.6.4

Package maintainers

@surfaceflinger nat <nat@nekopon.pl>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.defuddle-cli

Package maintainers