Primary

Context

Orejime Consent Manager Vulnerability Allows Execution of Embedded JavaScript Code

Vulnerability

A vulnerability in Orejime, a consent manager focused on accessibility, prior to version 2.3.2, allows for the execution of malicious code by embedding 'javascript:' URLs within data attributes. When a user consents to the related purpose, Orejime converts these data attributes into unprefixed ones, such as 'data-href' into 'href', thereby executing the embedded code. This issue is likely to affect only those who can inject HTML into pages, as most elements managed by Orejime are hardcoded.

Impact

Exploitation of this vulnerability could lead to the execution of arbitrary JavaScript code in the context of the affected page.

Remediation

Users can update to Orejime version 2.3.2, where this vulnerability has been patched. Additionally, attributes that could contain executable code can be sanitized to remove the risk of code execution.

Added: Dec 19, 2025, 5:19 PM

Updated: Dec 19, 2025, 6:03 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

7.0

remediation

0.0

relevance

1.5

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

7.0

remediation

0.0

relevance

1.5

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Orejime Consent Manager Vulnerability Allows Execution of Embedded JavaScript Code

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating