Vulnerability Details CVE-2026-30830
Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.0%
CVSS Severity