Vulnerability Description
Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript into the rendered page. This issue has been patched in version 0.6.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Django | Slippers | <= 0.6.2 |
Related Weaknesses (CWE)
References
- https://github.com/mixxorz/slippers/commit/16cc4ef4fa8ad2f7aee30798f16c3e7b65342Patch
- https://github.com/mixxorz/slippers/releases/tag/0.6.3Release Notes
- https://github.com/mixxorz/slippers/security/advisories/GHSA-w7rv-gfp4-j9j3ExploitVendor Advisory
FAQ
What is CVE-2026-34231?
CVE-2026-34231 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a contex...
How severe is CVE-2026-34231?
CVE-2026-34231 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34231?
Check the references section above for vendor advisories and patch information. Affected products include: Django Slippers.