DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-HVQH-JW65-WCPQ: GHSA-HVQH-JW65-WCPQ: Cross-Site Scripting (XSS) in devbridge-autocomplete

#security #cve #cybersecurity #ghsa

GHSA-HVQH-JW65-WCPQ: Cross-Site Scripting (XSS) in devbridge-autocomplete

Vulnerability ID: GHSA-HVQH-JW65-WCPQ
CVSS Score: 6.1
Published: 2026-06-22

The devbridge-autocomplete package (jQuery-Autocomplete) fails to escape category headers and suggestion values when using default formatters formatGroup and formatResult. If suggestions contain untrusted input, arbitrary HTML and JavaScript execute directly in the victim's browser session.

TL;DR

Unescaped HTML in autocomplete suggestion categories or values can bypass client-side rendering filters and execute arbitrary JavaScript.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v3.1 Score: 6.1 (Medium)
  • Exploit Status: PoC (Proof-of-Concept)
  • KEV Status: Not Listed
  • Impact: Client-side Script Execution (Cross-Site Scripting)

Affected Systems

  • devbridge-autocomplete (NPM package)
  • jQuery-Autocomplete (GitHub repository)
  • devbridge-autocomplete: < 2.0.1 (Fixed in: 2.0.1)

Code Analysis

Commit: 63ff096

Fix XSS vulnerabilities by using native DOM element creation and textContent to securely escape categories and suggestion values.

Exploit Details

Mitigation Strategies

  • Upgrade devbridge-autocomplete to version 2.0.1 or higher.
  • Override default formatResult and formatGroup functions during initialization with secure DOM serialization handlers.
  • Enforce a Content Security Policy (CSP) that restricts inline script execution.

Remediation Steps:

  1. Open the project package.json file and identify the devbridge-autocomplete dependency.
  2. Update the version identifier to ^2.0.1.
  3. Run npm install or yarn install to apply the change.
  4. For non-package-managed deployments, download the patched version of jquery.autocomplete.js directly from the official repository and replace the existing legacy library.
  5. Test custom input fields with test scripts () to verify successful neutralization.

References

Read the full report for GHSA-HVQH-JW65-WCPQ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)