Kepano: >> Defuddle >> 0.5.4 Security Vulnerabilities
Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.
CVSS Score
2.1
EPSS Score
0.0
Published
2026-03-07