{"id":"CVE-2021-23784","details":"This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.","aliases":["GHSA-w4v7-hwx7-9929"],"modified":"2026-04-02T06:47:32.008291Z","published":"2021-11-03T18:15:08.180Z","related":["SNYK-JS-TEMPURA-1569633"],"references":[{"type":"ADVISORY","url":"https://github.com/lukeed/tempura/releases/tag/v0.4.0"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JS-TEMPURA-1569633"},{"type":"FIX","url":"https://github.com/lukeed/tempura/commit/58a5c3671e2f36b26810e77ead9e0dd471902f9b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lukeed/tempura","events":[{"introduced":"0"},{"fixed":"86c7bd4d4f9b03c6191debdf44d4b3e9c4b7efff"},{"fixed":"58a5c3671e2f36b26810e77ead9e0dd471902f9b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.4.0"}]}}],"versions":["v0.1.0","v0.1.0-next.2","v0.2.0","v0.3.0","v0.3.1","v0.3.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23784.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}