Bug 2476810 (CVE-2026-42338)

Summary: CVE-2026-42338 ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, alcohan, alizardo, anthomas, ataylor, bbrownin, caswilli, cdrage, cmah, dbruscin, dfreiber, dkuc, drow, dschmidt, dymurray, eaguilar, ebaron, ehelms, erezende, fmariani, ggainey, ggrzybek, gmalinko, gparvin, ibolton, janstey, jbalunas, jburrell, jchui, jhe, jkoehler, jlanda, jmatthew, jmontleo, jolong, jraez, juwatts, jwong, jwon, kaycoth, kshier, ktsao, kvanderr, lphiri, mcarlett, mhulan, mstipich, nboldt, nmoumoul, oaljalju, omaciel, orabin, osousa, pahickey, parichar, pcreech, pgaikwad, pjindal, psrna, rchan, rekumar, rexwhite, rhaigner, rhel-process-autobot, rjohnson, rstepani, rushinde, sdawley, simaishi, slucidi, smallamp, smcdonal, sseago, stcannon, sthirugn, tasato, tcunning, teagle, tmalecek, vkumar, vvoronko, watson-tool-maintainers, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting (XSS) by providing untrusted input to the Address6 constructor. When an application renders the output of Address6.group(), Address6.link(), or the AddressError.parseMessage as HTML without proper escaping, the attacker-controlled content can be executed in the user's browser.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2487622, 2487623, 2487625, 2487626, 2487628, 2487629, 2487624    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-12 21:02:40 UTC 
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1.