ip-address: XSS in Address6 HTML-emitting methods
Summary
| CVE | CVE-2026-42338 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-12 20:16:41 UTC |
| Updated | 2026-07-15 02:21:31 UTC |
| Description | ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. This vulnerability is fixed in 10.1.1. |
Risk And Classification
Primary CVSS: v4.0 5.3 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.004710000 probability, percentile 0.375210000 (date 2026-07-13)
Problem Types: CWE-79 | CWE-79 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 5.3 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 5.3 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| 3.1 | ADP | CVSS | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Beaugunderson | Ip-address | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Beaugunderson | Ip-address | affected < 10.1.1 | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | unaffected 1:24.18.0-1.el10_2 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | unaffected 1:22.23.1-2.el10_2 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10.0 Extended Update Support | unaffected 1:22.23.1-2.el10_0 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | unaffected 9080020260626074955.rhel9 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | unaffected 9080020260626075442.rhel9 * rpm | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2.6 | unaffected 1782721130 * rpm | Not specified |
| ADP | Red Hat | Red Hat Developer Hub 1.10 | unaffected 1783448184 * rpm | Not specified |
| ADP | Red Hat | Red Hat Developer Hub 1.9 | unaffected 1782761244 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.29 | unaffected 1782498475 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.29 | unaffected 1782498792 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 2.6 | unaffected 1781937133 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 2.6 | unaffected 1782287580 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3 | unaffected 1782201894 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3 | unaffected 1782201833 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.1 | unaffected 1782201696 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.1 | unaffected 1782201537 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.2 | unaffected 1782201851 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.2 | unaffected 1782201812 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.3 | unaffected 1782231869 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.3 | unaffected 1782201466 * rpm | Not specified |
| ADP | Red Hat | Confidential Compute Attestation | Not specified | Not specified |
| ADP | Red Hat | Cryostat 4 | Not specified | Not specified |
| ADP | Red Hat | Cryostat 4 | Not specified | Not specified |
| ADP | Red Hat | Exploit Intelligence | Not specified | Not specified |
| ADP | Red Hat | Migration Toolkit For Containers | Not specified | Not specified |
| ADP | Red Hat | Multicluster Engine For Kubernetes | Not specified | Not specified |
| ADP | Red Hat | OpenShift Pipelines | Not specified | Not specified |
| ADP | Red Hat | OpenShift Pipelines | Not specified | Not specified |
| ADP | Red Hat | Red Hat Advanced Cluster Management For Kubernetes 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat AMQ Broker 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel For Spring Boot 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel - HawtIO 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Podman Desktop | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Podman Desktop - Tech Preview | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6 | Not specified | Not specified |
| ADP | Red Hat | Self-service Automation Portal 2 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:33160 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34374 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35891 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35842 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36754 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42338.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33163 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35892 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35841 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:39246 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-42338 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36820 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33173 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | Exploit, Mitigation, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:33183 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33155 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33574 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-12T21:01:14.436Z | Reported to Red Hat. |
| ADP | 2026-05-12T19:43:16.470Z | Made public. |
Solutions
ADP: RHSA-2026:39246: Red Hat Enterprise Linux AppStream EUS (v. 10.0)
ADP: RHSA-2026:35842: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:35841: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:35892: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:35891: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:34374: Red Hat Ansible Automation Platform 2.6
ADP: RHSA-2026:36754: Red Hat Developer Hub 1.10
ADP: RHSA-2026:33574: Red Hat Developer Hub 1.9
ADP: RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29
ADP: RHSA-2026:33155: Red Hat OpenShift Service Mesh 2.6
ADP: RHSA-2026:33163: Red Hat OpenShift Service Mesh 3.1
ADP: RHSA-2026:33173: Red Hat OpenShift Service Mesh 3.2
ADP: RHSA-2026:33183: Red Hat OpenShift Service Mesh 3.3
ADP: RHSA-2026:33160: Red Hat OpenShift Service Mesh 3
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.