Severity: high

Cross-Site Scripting



Versions of console-feed prior to 2.8.10 are vulnerable to Cross-Site Scripting (XSS). The package fails to properly escape the rendered output. If an application uses console-feed and a malicious JavaScript payload was passed to a console.log('%_', payload) call, the package would render HTML containing the malicious payload.


Upgrade to version 2.8.10 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jul 26th, 2019
  2. reported

    Reported by Sam Denty
    Jul 23rd, 2019