All versions of `html-pages` are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize folder names, allowing attackers to execute arbitrary JavaScript in the victim's browser through folders with names containing malicious code.

## Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Affected Packages

npm html-pages

Affected versions: 0 (last affected: 3.1.0)

Related CVEs

CVE-2018-16481

Key Information

GHSA ID

GHSA-5p26-hw7f-3cpr

Published

February 7, 2019 6:14 PM

Last Modified

September 12, 2023 8:39 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

html-pages

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 1, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.