PT-2026-55466 · Npm · @Asymmetric-Effort/Specifyjs
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2026-50290
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Finding
Location:
core/src/server/render-to-string.ts:307-311CSS value sanitization stripped
expression( and url(javascript: using simple regex, but could be bypassed with CSS unicode escapes (65xpression(), null bytes, or CSS comments (exp/**/ression().Mitigating Factor: These CSS injection vectors only work in legacy browsers (IE6-IE10). SpecifyJS targets modern browsers.
Status
Fixed in v0.2.136 — CSS sanitization now normalizes unicode escapes and strips CSS comments before pattern matching. Also checks for
behavior:, -moz-binding, and -o-link patterns.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Asymmetric-Effort/Specifyjs