[Pkg-javascript-devel] Bug#1131449: libjs-spin.js: CVE-2026-3884
Salvatore Bonaccorso
carnil at debian.org
Sat Mar 21 15:44:00 GMT 2026
Source: libjs-spin.js
Version: 1.2.8+dfsg2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 1.2.8+dfsg2-1.1
Hi,
The following vulnerability was published for libjs-spin.js.
CVE-2026-3884[0]:
| Versions of the package spin.js before 3.0.0 are vulnerable to
| Cross-site Scripting (XSS) via the spin() function that allows a
| creation of more than 1 alert for each 'target' element. An attacker
| would need to set an arbitrary key-value pair on Object.prototype
| through a crafted URL achieving a prototype pollution first, before
| being able to execute arbitrary JavaScript in the context of the
| user's browser.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-3884
https://www.cve.org/CVERecord?id=CVE-2026-3884
[1] https://security.snyk.io/vuln/SNYK-JS-SPINJS-15445079
[2] https://github.com/fgnass/spin.js/commit/1f63d33b74e5919e7fe24bf97eca96a346535f6f
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list