Search for vulnerabilities
| Vulnerability ID | VCID-fr4p-b13u-nbhf |
| Aliases |
GHSA-w67g-2h6v-vjgq
|
| Summary | Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex. 1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. `div(**user_attributes)`. 2. The second bypass could happen if user-provided tag names were passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`. 3. The third bypass could happen if user’s links were passed to `href` attributes, e.g. `a(href: user_provided_link)`. All three of these patterns are meant to be safe and all have now been patched. |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| There are no known severity scores. | ||
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-02T04:50:00.900448+00:00 | GitLab Importer | Import | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/phlex/GHSA-w67g-2h6v-vjgq.yml | 38.6.0 |