The vulnerability identified as CVE-2026-30830 affects kepano's defuddle software, specifically versions prior to 0.9.0. Defuddle is a tool designed to clean up HTML pages, and the flaw exists in the _findContentBySchemaText method located in src/defuddle.ts. This method interpolates user-supplied values for image src and alt attributes directly into an HTML string without proper escaping or sanitization. The lack of escaping allows an attacker to inject a double quote character (") into the alt attribute, breaking out of the attribute context and enabling the insertion of malicious event handlers such as onerror or onclick. When a victim views the manipulated HTML content, the injected script can execute in their browser context, leading to cross-site scripting (XSS). The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS 4.0 base score of 2.1, indicating low severity. The attack vector is network-based with no privileges required, but user interaction is necessary to trigger the exploit. The scope is limited to the affected HTML content generated by defuddle, and no known exploits have been reported in the wild. The issue was addressed and patched in defuddle version 0.9.0 by implementing proper escaping of attribute values to prevent injection.

The primary impact of this vulnerability is the potential for cross-site scripting attacks, which can lead to the execution of arbitrary scripts in the context of a user's browser. This can result in session hijacking, defacement, or redirection to malicious sites. However, given the low CVSS score and the requirement for user interaction, the overall risk is limited. The vulnerability affects only organizations that use defuddle versions prior to 0.9.0 to process or clean HTML content that may include untrusted input. In environments where defuddle is integrated into web applications or content management workflows, attackers could exploit this flaw to target users viewing the processed HTML. Since no authentication is required, attackers can attempt to exploit this remotely. The absence of known exploits in the wild suggests limited active targeting, but the vulnerability still poses a potential risk if left unpatched. The impact on confidentiality, integrity, and availability is low to moderate, primarily affecting confidentiality and integrity through script injection.

The most effective mitigation is to upgrade to defuddle version 0.9.0 or later, where the vulnerability has been patched by properly escaping user input in HTML attributes. For organizations unable to upgrade immediately, applying input validation and output encoding on all user-supplied data before it reaches defuddle can reduce risk. Specifically, ensure that any data interpolated into HTML attributes is properly escaped to prevent breaking out of attribute contexts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Additionally, conduct code reviews and security testing on any custom integrations involving defuddle to detect similar injection issues. Monitoring and logging user interactions with HTML content processed by defuddle can help detect potential exploitation attempts. Finally, educate developers and administrators about secure coding practices related to HTML generation and attribute escaping.