-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper href attribute sanitization that was originally limited to anchor tags. The commit diff shows the security fix expanded href validation to all tags by removing the 'name === 'a'' conditional check. The vulnerable versions lacked this broader sanitization, specifically allowing XSS through un-sanitized 'href' attributes in AREA elements. The htmlUtils.ts file's attribute processing logic was directly modified to address this issue.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| joplin | npm | < 2.11.5 | 2.11.5 |
JavaScriptJavaScriptOngoing coverage of React2Shell