CVE-2026-30830: defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag

March 6, 2026

The _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping:

html += `<img src="${imageSrc}" alt="${imageAlt}">`;

An attacker can use a " in the alt attribute to break out of the attribute context and inject event handlers. This is a separate vulnerability from the sanitization bypass fixed in f154cb7 — the injection happens during string construction, not in the DOM, so _stripUnsafeElements cannot catch it.

References

github.com/advisories/GHSA-5mq8-78gm-pjmq
github.com/kepano/defuddle
github.com/kepano/defuddle/commit/f154cb740ee603431b69638273af737a27156df9
github.com/kepano/defuddle/security/advisories/GHSA-5mq8-78gm-pjmq
nvd.nist.gov/vuln/detail/CVE-2026-30830

Code Behaviors & Features

Detect and mitigate CVE-2026-30830 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →