Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:gem/phlex@2.3.2
purl pkg:gem/phlex@2.3.2
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-85dg-y8nr-n3b9 Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex. 1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. `div(**user_attributes)`. 2. The second bypass could happen if user-provided tag names were passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`. 3. The third bypass could happen if user’s links were passed to `href` attributes, e.g. `a(href: user_provided_link)`. All three of these patterns are meant to be safe and all have now been patched. GHSA-w67g-2h6v-vjgq

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-31T10:53:20.044683+00:00 GithubOSV Importer Fixing VCID-85dg-y8nr-n3b9 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-w67g-2h6v-vjgq/GHSA-w67g-2h6v-vjgq.json 38.6.0
2026-05-31T01:07:14.577155+00:00 GHSA Importer Fixing VCID-85dg-y8nr-n3b9 https://github.com/advisories/GHSA-w67g-2h6v-vjgq 38.6.0
2026-05-30T21:06:25.749953+00:00 GitLab Importer Fixing VCID-85dg-y8nr-n3b9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/phlex/GHSA-w67g-2h6v-vjgq.yml 38.6.0