PT-2026-55466 · Npm · @Asymmetric-Effort/Specifyjs

Publicado

2026-07-02

·

Atualizado

2026-07-02

·

CVE-2026-50290

CVSS v4.0

5.3

Média

VetorAV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Finding

Location: core/src/server/render-to-string.ts:307-311
CSS value sanitization stripped expression( and url(javascript: using simple regex, but could be bypassed with CSS unicode escapes (65xpression(), null bytes, or CSS comments (exp/**/ression().
Mitigating Factor: These CSS injection vectors only work in legacy browsers (IE6-IE10). SpecifyJS targets modern browsers.

Status

Fixed in v0.2.136 — CSS sanitization now normalizes unicode escapes and strips CSS comments before pattern matching. Also checks for behavior:, -moz-binding, and -o-link patterns.

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-50290
GHSA-93Q6-WWJH-JC6H

Produtos afetados

@Asymmetric-Effort/Specifyjs