{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34231", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T16:22:29.034Z", "datePublished": "2026-03-31T15:33:17.644Z", "dateUpdated": "2026-03-31T17:21:50.192Z"}, "containers": {"cna": {"title": "Slippers: Cross-Site Scripting (XSS) in `attrs` Template Tag", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mixxorz/slippers/security/advisories/GHSA-w7rv-gfp4-j9j3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mixxorz/slippers/security/advisories/GHSA-w7rv-gfp4-j9j3"}, {"name": "https://github.com/mixxorz/slippers/commit/16cc4ef4fa8ad2f7aee30798f16c3e7b653423b2", "tags": ["x_refsource_MISC"], "url": "https://github.com/mixxorz/slippers/commit/16cc4ef4fa8ad2f7aee30798f16c3e7b653423b2"}, {"name": "https://github.com/mixxorz/slippers/releases/tag/0.6.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/mixxorz/slippers/releases/tag/0.6.3"}], "affected": [{"vendor": "mixxorz", "product": "slippers", "versions": [{"version": "< 0.6.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T15:33:17.644Z"}, "descriptions": [{"lang": "en", "value": "Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript into the rendered page. This issue has been patched in version 0.6.3."}], "source": {"advisory": "GHSA-w7rv-gfp4-j9j3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T17:21:42.383302Z", "id": "CVE-2026-34231", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:21:50.192Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34231", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T17:21:42.383302Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T17:21:46.537Z"}}], "cna": {"title": "Slippers: Cross-Site Scripting (XSS) in `attrs` Template Tag", "source": {"advisory": "GHSA-w7rv-gfp4-j9j3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "mixxorz", "product": "slippers", "versions": [{"status": "affected", "version": "< 0.6.3"}]}], "references": [{"url": "https://github.com/mixxorz/slippers/security/advisories/GHSA-w7rv-gfp4-j9j3", "name": "https://github.com/mixxorz/slippers/security/advisories/GHSA-w7rv-gfp4-j9j3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mixxorz/slippers/commit/16cc4ef4fa8ad2f7aee30798f16c3e7b653423b2", "name": "https://github.com/mixxorz/slippers/commit/16cc4ef4fa8ad2f7aee30798f16c3e7b653423b2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mixxorz/slippers/releases/tag/0.6.3", "name": "https://github.com/mixxorz/slippers/releases/tag/0.6.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript into the rendered page. This issue has been patched in version 0.6.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T15:33:17.644Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34231", "state": "PUBLISHED", "dateUpdated": "2026-03-31T17:21:50.192Z", "dateReserved": "2026-03-26T16:22:29.034Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T15:33:17.644Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:django:slippers:*:*:*:*:*:*:*:*", "matchCriteriaId": "617012FB-61E8-4B1B-AECD-08D5488A558A", "versionEndIncluding": "0.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript into the rendered page. This issue has been patched in version 0.6.3."}], "id": "CVE-2026-34231", "lastModified": "2026-04-03T14:51:03.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T16:16:32.603", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mixxorz/slippers/commit/16cc4ef4fa8ad2f7aee30798f16c3e7b653423b2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/mixxorz/slippers/releases/tag/0.6.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/mixxorz/slippers/security/advisories/GHSA-w7rv-gfp4-j9j3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.6.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "slippers", "source": "cna", "vendor": "mixxorz"}, "product": "slippers", "vendor": "mixxorz"}], "analysis": {"en": {"generated_at": "2026-04-03T17:23:42.031636+00:00", "value": {"mitigation_remediation": ["Apply the latest Slippers patch (version 0.6.3 or newer).", "Verify that all data passed to the {% attrs %} tag originates from trusted sources or is properly escaped before rendering."], "summary": {"action": "Patch Now", "impact": "Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the mixxorz Slippers package, a Django UI component framework. Any installation of Slippers prior to version 0.6.3 is susceptible; the issue was patched in release 0.6.3.", "description_and_impact": "Slippers, a UI component framework for Django, contains an unescaped rendering flaw in its {% attrs %} template tag. When a context variable with untrusted data is interpolated into an HTML attribute string, the value is inserted without escaping, permitting an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript. This classic cross\u2011site scripting weakness (CWE\u201179) can compromise the integrity of rendered pages and potentially expose users to malicious scripts.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker can supply untrusted input that is rendered via the {% attrs %} tag in a page. Once triggered, the attacker can inject malicious scripts that execute in the context of the victim's browser."}}}}, "created": "2026-03-31T19:54:07.919261+00:00", "updated": "2026-04-03T21:17:36.318162+00:00", "vendors": ["mixxorz", "mixxorz$PRODUCT$slippers"]}