CVE-2026-30830 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting kepano's defuddle software versions earlier than 0.9.0. The root cause lies in the _findContentBySchemaText method within the source file src/defuddle.ts, where the code interpolates image src and alt attributes directly into an HTML string without proper escaping or sanitization. Specifically, the alt attribute is vulnerable to injection of a double quote (") character, which allows an attacker to break out of the attribute context and inject arbitrary event handlers such as onerror or onclick. This flaw enables execution of malicious JavaScript in the context of the affected web page, potentially leading to session hijacking, defacement, or other client-side attacks. The vulnerability does not require authentication or privileges and can be triggered by user interaction, such as viewing a crafted HTML page processed by defuddle. The CVSS 4.0 base score is 2.1, reflecting a low severity due to the limited scope (client-side only), no impact on confidentiality, integrity, or availability of the server, and the requirement for user interaction. The issue was publicly disclosed on March 7, 2026, and has been fixed in defuddle version 0.9.0 by properly escaping or sanitizing the input before HTML generation. No known exploits have been reported in the wild, but the vulnerability poses a risk to users of affected versions who process untrusted input through defuddle.

The primary impact of CVE-2026-30830 is the potential for client-side script execution via cross-site scripting attacks. This can lead to theft of user session tokens, redirection to malicious sites, or unauthorized actions performed on behalf of the user within the context of the vulnerable web page. However, the impact is limited to the client side and does not compromise server confidentiality, integrity, or availability. Since exploitation requires user interaction (e.g., viewing a crafted HTML page) and no authentication, the attack surface is somewhat constrained. Organizations using defuddle in web content processing pipelines or HTML cleanup tasks may inadvertently expose end users to XSS risks if they process untrusted or user-supplied data. Although no exploits are known in the wild, failure to patch could lead to targeted attacks, especially in environments where defuddle is integrated into web-facing applications or services. Overall, the impact is low but non-negligible for organizations relying on vulnerable versions in security-sensitive contexts.

To mitigate CVE-2026-30830, organizations should upgrade kepano defuddle to version 0.9.0 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement input validation and output encoding controls to ensure that any user-supplied data interpolated into HTML attributes is properly escaped, especially for characters like double quotes and angle brackets. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce the impact of potential XSS attacks. Additionally, review and sanitize all inputs processed by defuddle, particularly those that influence image src and alt attributes. Conduct security testing and code reviews focusing on HTML generation and input handling to detect similar injection flaws. Finally, educate developers and administrators about the risks of improper input neutralization and the importance of timely patching.