Primary

Context

DataTables HTML Escape Function Cross-Site Scripting Vulnerability

Vulnerability

Patched

A cross-site scripting (XSS) vulnerability exists in the DataTables library versions prior to 1.11.3. The issue arises because the HTML escape entities function does not properly escape the contents of an array if one is passed, leading to potential injection of malicious scripts.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser, potentially leading to session hijacking or exposure of sensitive information.

Reproduction

To reproduce this vulnerability, use DataTables version prior to 1.11.3 and pass an array containing unescaped HTML, such as an image tag with an 'onerror' event, to the HTML escape entities function. The DataTables table should be rendered with a column that uses the 'text' renderer, which does not sanitize the HTML, allowing the injected script to execute.

Remediation

Upgrade DataTables to version 1.11.3 or later.

Added: Apr 7, 2026, 9:23 AM

Updated: Apr 7, 2026, 9:23 AM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

1.7

exploitability

5.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

1.7

exploitability

5.8

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DataTables HTML Escape Function Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

DataTables

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating