Cross-Site Scripting in ip-address Library Affecting JavaScript Applications
CVE-2026-42338

5.3MEDIUM

Key Information:

Vendor: Beaugunderson
Status: Ip-address
Vendor: CVE Published:; 12 May 2026

🔔 Create Beaugunderson Vulnerability Alert

What is CVE-2026-42338?

The ip-address library, which handles IPv4 and IPv6 address management in JavaScript, is vulnerable to cross-site scripting due to improper HTML escaping of attacker-controlled content. Specifically, prior to version 10.1.1, the methods Address6.group() and Address6.link() fail to escape potentially harmful content before embedding it into HTML strings, while the AddressError.parseMessage can inadvertently expose unescaped content in error messages when invalid input is processed. Applications that utilize these methods to render untrusted input as HTML are at risk, making it essential for developers to update to the latest version to mitigate these vulnerabilities.

Affected Version(s)

ip-address < 10.1.1

References

https://github.com/beaugunderson/ip-address/security/advi...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42338 Data

JSON