{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-42338", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-26T13:26:14.514Z", "datePublished": "2026-05-12T19:43:16.470Z", "dateUpdated": "2026-07-09T12:09:43.283Z" }, "containers": { "cna": { "title": "ip-address: XSS in Address6 HTML-emitting methods", "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE" } ] } ], "metrics": [ { "cvssV4_0": { "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0" } } ], "references": [ { "name": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g" } ], "affected": [ { "vendor": "beaugunderson", "product": "ip-address", "versions": [ { "version": "< 10.1.1", "status": "affected" } ] } ], "providerMetadata": { "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-12T19:43:16.470Z" }, "descriptions": [ { "lang": "en", "value": "ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1." } ], "source": { "advisory": "GHSA-v2v4-37r5-5v8g", "discovery": "UNKNOWN" } }, "adp": [ { "references": [ { "url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g", "tags": [ "exploit" ] } ], "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-13T14:46:11.633277Z", "id": "CVE-2026-42338", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-13T14:46:50.469Z" } }, { "affected": [ { "cpes": [ "cpe:/o:redhat:enterprise_linux:10.2" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream (v. 10)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream (v. 9)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:ansible_automation_platform:2.6::el9" ], "defaultStatus": "affected", "product": "Red Hat Ansible Automation Platform 2.6", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhdh:1.10::el9" ], "defaultStatus": "affected", "product": "Red Hat Developer Hub 1.10", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhdh:1.9::el9" ], "defaultStatus": "affected", "product": "Red Hat Developer Hub 1.9", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_devspaces:3.29::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Dev Spaces 3.29", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:service_mesh:2.6::el8" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Service Mesh 2.6", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:service_mesh:3.0::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Service Mesh 3.0", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:service_mesh:3.1::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Service Mesh 3.1", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:service_mesh:3.2::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Service Mesh 3.2", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:service_mesh:3.3::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Service Mesh 3.3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:confidential_compute_attestation:1" ], "defaultStatus": "affected", "product": "Confidential Compute Attestation", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:exploit_intelligence:0" ], "defaultStatus": "affected", "product": "Exploit Intelligence", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhmt:1" ], "defaultStatus": "affected", "product": "Migration Toolkit for Containers", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:multicluster_engine" ], "defaultStatus": "affected", "product": "Multicluster Engine for Kubernetes", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_pipelines:1" ], "defaultStatus": "affected", "product": "OpenShift Pipelines", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:amq_broker:7" ], "defaultStatus": "affected", "product": "Red Hat AMQ Broker 7", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:apache_camel_hawtio:4" ], "defaultStatus": "affected", "product": "Red Hat build of Apache Camel - HawtIO 4", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:podman_desktop:1" ], "defaultStatus": "affected", "product": "Red Hat Build of Podman Desktop", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:podman_desktop:0" ], "defaultStatus": "affected", "product": "Red Hat Build of Podman Desktop - Tech Preview", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:enterprise_linux_ai:3" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AI (RHEL AI) 3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:hummingbird:1" ], "defaultStatus": "affected", "product": "Red Hat Hardened Images", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai" ], "defaultStatus": "affected", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:satellite:6" ], "defaultStatus": "affected", "product": "Red Hat Satellite 6", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:ansible_portal:2" ], "defaultStatus": "affected", "product": "Self-service automation portal 2", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:cryostat:4" ], "defaultStatus": "unaffected", "product": "Cryostat 4", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:acm:2" ], "defaultStatus": "unaffected", "product": "Red Hat Advanced Cluster Management for Kubernetes 2", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:camel_spring_boot:4" ], "defaultStatus": "unaffected", "product": "Red Hat build of Apache Camel for Spring Boot 4", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:10" ], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_devspaces:3" ], "defaultStatus": "unaffected", "product": "Red Hat OpenShift Dev Spaces", "vendor": "Red Hat" } ], "datePublic": "2026-05-12T19:43:16.470Z", "descriptions": [ { "lang": "en", "value": "A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user's browser." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE" } ] } ], "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2026-42338" }, { "name": "RHBZ#2476810", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476810" }, { "tags": [ "x_sadp-csaf-vex" ], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42338.json" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:35842" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:35841" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:35892" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:35891" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:34374" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:36754" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33574" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:36820" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33155" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33160" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33163" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33173" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33183" } ], "solutions": [ { "lang": "en", "value": "RHSA-2026:35842: Red Hat Enterprise Linux AppStream (v. 10)" }, { "lang": "en", "value": "RHSA-2026:35841: Red Hat Enterprise Linux AppStream (v. 10)" }, { "lang": "en", "value": "RHSA-2026:35892: Red Hat Enterprise Linux AppStream (v. 9)" }, { "lang": "en", "value": "RHSA-2026:35891: Red Hat Enterprise Linux AppStream (v. 9)" }, { "lang": "en", "value": "RHSA-2026:34374: Red Hat Ansible Automation Platform 2.6" }, { "lang": "en", "value": "RHSA-2026:36754: Red Hat Developer Hub 1.10" }, { "lang": "en", "value": "RHSA-2026:33574: Red Hat Developer Hub 1.9" }, { "lang": "en", "value": "RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29" }, { "lang": "en", "value": "RHSA-2026:33155: Red Hat OpenShift Service Mesh 2.6" }, { "lang": "en", "value": "RHSA-2026:33160: Red Hat OpenShift Service Mesh 3.0" }, { "lang": "en", "value": "RHSA-2026:33163: Red Hat OpenShift Service Mesh 3.1" }, { "lang": "en", "value": "RHSA-2026:33173: Red Hat OpenShift Service Mesh 3.2" }, { "lang": "en", "value": "RHSA-2026:33183: Red Hat OpenShift Service Mesh 3.3" } ], "timeline": [ { "lang": "en", "time": "2026-05-12T21:01:14.436Z", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2026-05-12T19:43:16.470Z", "value": "Made public." } ], "title": "ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability." } ], "x_adpType": "supplier", "x_generator": { "engine": "sadp-cli 1.0.0" }, "providerMetadata": { "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-07-09T12:09:43.283Z" } } ] } }