CVE-2026-44458

描述

### Summary The JSX renderer escapes `style` attribute object values for HTML but not for CSS. Untrusted input in a `style` object value or property name can therefore inject additional CSS declarations into the rendered `style` attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. ### Details `style` object values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries — such as `;`, comment markers, quoted strings, and block delimiters — are valid in HTML attribute content and can extend a value beyond its assigned property. This issue arises when untrusted input is interpolated into a JSX `style` object and rendered server-side. ### Impact An attacker who can control the value or property name of a `style` object may inject arbitrary CSS declarations. This may lead to: - Visual manipulation of the page, including full-viewport overlays usable for phishing - Outbound requests to attacker-controlled hosts via CSS resource references such as `url(...)` - Hijacking of UI affordances through layout, positioning, or visibility changes This issue affects applications that render JSX on the server with `style` object values or property names derived from untrusted input.

如何修補 CVE-2026-44458

要修補 CVE-2026-44458,請將受影響套件升級到下列已修補版本。

• —升級至 4.12.18 或更新版本

CVE-2026-44458 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 4.12.18

CVSS 分數