Search for packages
| purl | pkg:gem/phlex@2.3.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-85dg-y8nr-n3b9
Aliases: GHSA-w67g-2h6v-vjgq |
Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex. 1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. `div(**user_attributes)`. 2. The second bypass could happen if user-provided tag names were passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`. 3. The third bypass could happen if user’s links were passed to `href` attributes, e.g. `a(href: user_provided_link)`. All three of these patterns are meant to be safe and all have now been patched. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-05-31T10:20:43.682587+00:00 | Ruby Importer | Affected by | VCID-85dg-y8nr-n3b9 | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/GHSA-w67g-2h6v-vjgq.yml | 38.6.0 |
| 2026-05-31T01:07:14.572982+00:00 | GHSA Importer | Affected by | VCID-85dg-y8nr-n3b9 | https://github.com/advisories/GHSA-w67g-2h6v-vjgq | 38.6.0 |
| 2026-05-30T21:06:25.654705+00:00 | GitLab Importer | Affected by | VCID-85dg-y8nr-n3b9 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/phlex/GHSA-w67g-2h6v-vjgq.yml | 38.6.0 |