Intel

AIKIDO-2026-296759

defuddle is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)GHSA-jg4p-g6xj-4qmf Published Jun 25, 2026

82

High Risk

This Affects:

JSdefuddle
0.1.0 - 0.19.0
Fixed in 0.19.1
Are you affected? Scan for Free

TL;DR

Several site extractors in defuddle build their output HTML by interpolating untrusted DOM attribute values, such as an image alt, an image src, or a video description read directly off the page, into template-literal strings without escaping. A value containing a quote character closes the attribute and injects new attributes, producing a live event handler or a javascript: URL. Extractor output is returned without passing through the DOM-based sanitizer used elsewhere, so the injected markup reaches the consumer as executable HTML and runs in the browser. The fix routes all extractor output through a central sanitizer that strips unsafe elements and escapes the interpolated values at each sink.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application extracts and renders content from untrusted pages using the affected site extractors.

Background info

defuddle is vulnerable to Cross-Site Scripting (XSS) in versions 0.1.0 - 0.19.0.

How to fix this

Upgrade the defuddle library to the patch version.