Cross-site scripting in Deno - CVE-2024-32468
Published: November 25, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU127055
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-32468
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Deno Land
Affected software:
Deno
Deno
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in the generated documentation page.
The vulnerability exists due to cross-site scripting in the deno_doc HTML generator when generating HTML documentation from crafted package content. A remote user can include unsanitized names or HTML content in documented code to execute arbitrary script in the generated documentation page.
User interaction is required to open or view the generated documentation.
How to mitigate CVE-2024-32468
Install security update from vendor's website.