CVE-2026-30830

Name of the Vulnerable Software and Affected Versions Defuddle versions prior to 0.9.0

Description Defuddle contains a flaw in the findContentBySchemaText method within src/defuddle.ts. This method directly interpolates image src and alt attributes into an HTML string without proper escaping. An attacker can leverage a double quote character (") within the alt attribute to break out of the attribute context and inject event handlers, leading to potential cross-site scripting (XSS). The issue arises during string construction, not within the DOM, bypassing the stripUnsafeElements function. The vulnerability is triggered when processing HTML with schema.org structured data and a sibling image with a crafted alt attribute. The affected code uses string interpolation: html += ;. The getAttribute() function returns raw attribute values, and the presence of a quote character in the alt attribute allows for the injection of event handlers like onload. This can impact applications rendering Defuddle’s HTML output, such as browser extensions, web clippers, and reader modes.

Recommendations Versions prior to 0.9.0 should be updated to version 0.9.0 or later. As an alternative, use the DOM API instead of string interpolation when creating image elements. Specifically, use the following code:

if (imageSrc) {
  const img = this.doc.createElement('img');
  img.setAttribute('src', imageSrc);
  img.setAttribute('alt', imageAlt);
  html += img.outerHTML;
}

This approach ensures that attribute values are properly escaped by the DOM serializer.