GHSA-785h-76cm-cpmf: Django TomSelect incomplete escaping of dangerous characters in widget attributes

March 26, 2025 (updated October 31, 2025)

User supplied values passed through to certain attributes in form widgets are not fully escaped for potentially dangerous tokens, and in some cases are rendered in browser as valid html tags.

References

github.com/OmenApps/django-tomselect
github.com/OmenApps/django-tomselect/commit/0990ed36c8874f9d42fa9deff7734bf8dcd46d40
github.com/OmenApps/django-tomselect/security/advisories/GHSA-785h-76cm-cpmf
github.com/advisories/GHSA-785h-76cm-cpmf

Code Behaviors & Features

Detect and mitigate GHSA-785h-76cm-cpmf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →