NIXPKGS-2026-0568

GitHub issue published on 8 Mar 2026

Permalink CVE-2026-30830

updated 1 week ago by @mweinelt Activity log

Created automatic suggestion 1 week ago
@mweinelt accepted 1 week ago
@mweinelt published on GitHub 1 week ago

Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag

Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.

References

https://github.com/kepano/defuddle/security/advisories/GHSA-5mq8-78gm-pjmq x_refsource_CONFIRM
https://github.com/kepano/defuddle/commit/f154cb740ee603431b69638273af737a27156df9 x_refsource_MISC

Affected products

defuddle

==< 0.9.0

Matching in nixpkgs

pkgs.defuddle-cli

Command line utility to extract clean html, markdown and metadata from web pages

nixos-unstable 0.6.4
- nixpkgs-unstable 0.6.4
- nixos-unstable-small 0.6.4
nixos-25.11 0.6.4
- nixos-25.11-small 0.6.4
- nixpkgs-25.11-darwin 0.6.4

Package maintainers

@surfaceflinger nat <nat@nekopon.pl>

Upstream advisory: https://github.com/kepano/defuddle/security/advisories/GHSA-5mq8-78gm-pjmq

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0568

References

Affected products

Matching in nixpkgs

pkgs.defuddle-cli

Package maintainers