CVE-2026-42338

Name of the Vulnerable Software and Affected Versions ip-address versions prior to 10.1.1

Description The software fails to HTML-escape attacker-controlled content before embedding it in HTML strings. This occurs in the Address6.group() and Address6.link() functions, as well as within the AddressError.parseMessage property emitted by the Address6 constructor when handling invalid input. Specifically, Address6.group() allows zone ID injection, and Address6.link() is susceptible to attribute-value injection via the prefix and className variables. Additionally, the Address6 constructor's error path for leading-zero IPv4 addresses can include unescaped content in the parseMessage output. Applications that pass untrusted input to Address6 and render the output of these methods or the error message as HTML (for example, using innerHTML) are susceptible to cross-site scripting (XSS), a technique where malicious scripts are injected into otherwise trusted websites.

Recommendations Update to version 10.1.1. As a temporary workaround, avoid passing untrusted input to the Address6 constructor. As a temporary workaround, treat the output of Address6.group(), Address6.link(), v6.helpers.spanAll(), and the parseMessage field of AddressError as plain text instead of HTML. As a temporary workaround, validate input using Address6.isValid() and reject any input containing a zone identifier (% character) or characters outside the range [0-9a-fA-F:/] before passing it to the constructor.