Andybala

**Name of the Vulnerable Software and Affected Versions** matrix-react-sdk versions prior to 3.71.0 **Description** The issue concerns plain text messages containing HTML tags being rendered as HTML in search results. An attacker would need to trick a user into searching for a specific message with an HTML injection payload to exploit this. Although cross-site scripting is not possible due to the hardcoded content security policy, there are exceptions where resources from specific domains can be included, potentially leading to XSS vectors. **Recommendations** For versions prior to 3.71.0, update to version 3.71.0 to resolve the issue. As a temporary workaround, restarting the client will clear the HTML injection.