-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from HTML injection in package link generation. Both affected files show the same pattern: constructing <a> tags with raw 'link.url' and 'link.name' values. The patch adds 'onclick='return false'' to prevent link execution, indicating these were active XSS vectors. The functions are vulnerable because they directly interpolate user-controlled data into DOM elements without proper escaping or sanitization, meeting CWE-79 criteria for improper input neutralization during web page generation.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pyload-ng | pip | < 0.5.0b3.dev42 | 0.5.0b3.dev42 |
PythonPythonOngoing coverage of React2Shell