{"id":"CVE-2021-30458","details":"An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x before 0.12.2. An attacker can send crafted wikitext that Utils/WTUtils.php will transform by using a \u003cmeta\u003e tag, bypassing sanitization steps, and potentially allowing for XSS.","aliases":["GHSA-5pqx-77vf-85rw"],"modified":"2026-04-12T01:58:35.688437Z","published":"2021-04-09T07:15:16.340Z","references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202107-40"},{"type":"ADVISORY","url":"https://www.mediawiki.org/wiki/Parsoid"},{"type":"REPORT","url":"https://phabricator.wikimedia.org/T279451"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wikimedia/mediawiki-services-parsoid","events":[{"introduced":"0"},{"fixed":"682ac3f9f1381a3c2264d1eb0efbd3eba9e41608"},{"introduced":"4062d23e3660fd34b2adc30a9b883f73415b1607"},{"fixed":"15169a678f9f468ff6465035a32f28e8ec82003f"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:wikimedia:parsoid:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"0"},{"fixed":"0.11.1"},{"introduced":"0.12.0"},{"fixed":"0.12.2"}]}}],"versions":["v0.10.0","v0.11.0","v0.12.0","v0.12.1","v0.2.0","v0.3.0","v0.4.0","v0.4.1","v0.5.0","v0.5.1","v0.5.2","v0.6.0","v0.6.1","v0.7.0","v0.7.1","v0.8.0","v0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-30458.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}