{"id":"CVE-2024-53386","details":"Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.","aliases":["GHSA-fp3m-g5rc-4c28"],"modified":"2025-11-16T08:25:35.799314Z","published":"2025-03-03T07:15:34.560Z","references":[{"type":"WEB","url":"https://github.com/piqnt/stage.js/blob/919f6e94b14242f6e6994141a9e1188439d306d5/lib/core.js#L158-L159"},{"type":"EVIDENCE","url":"https://gist.github.com/jackfromeast/31d56f1ad17673aabb6ab541e65a5534"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/piqnt/stage.js","events":[{"introduced":"0"},{"last_affected":"919f6e94b14242f6e6994141a9e1188439d306d5"}]}],"versions":["v0.1.49","v0.2.1","v0.3.0","v0.3.1","v0.4.0","v0.4.0-beta.0","v0.4.0-beta.1","v0.4.0-beta.2","v0.4.0-beta.4","v0.4.1","v0.4.11","v0.4.12","v0.4.13","v0.4.14","v0.4.2","v0.4.5","v0.4.7","v0.4.8","v0.4.9","v0.5.0","v0.6.1","v0.6.2","v0.6.4","v0.6.5","v0.6.6","v0.7.0","v0.7.1","v0.8.0","v0.8.1","v0.8.10","v0.8.2","v0.8.4","v0.8.7","v0.8.8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53386.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}