Martinvks

**Name of the Vulnerable Software and Affected Versions** KaTeX versions prior to 0.16.10 **Description** KaTeX is a JavaScript library for TeX math rendering on the web. Users who render untrusted mathematical expressions could encounter malicious input using `includegraphics` that runs arbitrary JavaScript, or generate invalid HTML. The `includegraphics` command did not properly quote its filename argument, allowing it to generate invalid or malicious HTML that runs scripts. **Recommendations** Upgrade to KaTeX v0.16.10 to remove this vulnerability. As a temporary workaround, consider avoiding the use of or turning off the `trust` option, or set it to forbid `includegraphics` commands. Forbid inputs containing the substring `"includegraphics"`. Sanitize HTML output from KaTeX.