VulnerableCode Package Details - pkg:gem/phlex@1.9.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-fr4p-b13u-nbhf Aliases: GHSA-w67g-2h6v-vjgq	Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex. 1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. `div(**user_attributes)`. 2. The second bypass could happen if user-provided tag names were passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`. 3. The third bypass could happen if user’s links were passed to `href` attributes, e.g. `a(href: user_provided_link)`. All three of these patterns are meant to be safe and all have now been patched.	1.11.1 Affected by 0 other vulnerabilities. 2.0.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.1.3 Affected by 0 other vulnerabilities. 2.2.2 Affected by 0 other vulnerabilities. 2.3.2 Affected by 0 other vulnerabilities. 2.4.0.beta1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.4.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-fr4p-b13u-nbhf
Aliases:
GHSA-w67g-2h6v-vjgq

Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex. 1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. `div(**user_attributes)`. 2. The second bypass could happen if user-provided tag names were passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`. 3. The third bypass could happen if user’s links were passed to `href` attributes, e.g. `a(href: user_provided_link)`. All three of these patterns are meant to be safe and all have now been patched.

1.11.1
Affected by 0 other vulnerabilities.

2.0.2
Affected by 1 other vulnerability.

2.1.3
Affected by 0 other vulnerabilities.

2.2.2
Affected by 0 other vulnerabilities.

2.3.2
Affected by 0 other vulnerabilities.

2.4.0.beta1
Affected by 1 other vulnerability.

2.4.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-m3kh-42bg-ykd8	Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. Our filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`.	CVE-2024-32463 GHSA-g7xq-xv8c-h98c

Vulnerability

Summary

Aliases

VCID-m3kh-42bg-ykd8

Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. Our filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`.

CVE-2024-32463
GHSA-g7xq-xv8c-h98c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T18:15:59.957578+00:00	Ruby Importer	Affected by	VCID-fr4p-b13u-nbhf	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/GHSA-w67g-2h6v-vjgq.yml	38.6.0
2026-06-04T16:45:16.135566+00:00	GithubOSV Importer	Fixing	VCID-m3kh-42bg-ykd8	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-g7xq-xv8c-h98c/GHSA-g7xq-xv8c-h98c.json	38.6.0
2026-06-02T04:47:38.066202+00:00	GitLab Importer	Fixing	VCID-m3kh-42bg-ykd8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/phlex/CVE-2024-32463.yml	38.6.0