CVE-2026-34231

Name of the Vulnerable Software and Affected Versions Slippers versions prior to 0.6.3

Description A Cross-Site Scripting (XSS) issue exists in the {% attrs %} template tag of the Slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript into the rendered page. The root cause is that the attr string() function fails to escape the value before including it in the HTML attribute. An attacker can craft a request with a malicious payload in a parameter like q to execute JavaScript code, potentially leading to session hijacking, credential theft, arbitrary actions on behalf of the victim, and page defacement. The {% attrs %} template tag is vulnerable when used with values derived from user input, database content, or other untrusted sources.

Recommendations Versions prior to 0.6.3 should be updated to version 0.6.3 or later. As a temporary workaround, sanitise untrusted values before passing them to {% attrs %}, for example with django.utils.html.escape() in the view layer.