CVE-2026-34231: Slippers: Cross-Site Scripting (XSS) in `attrs` Template Tag

Published Mar 30, 2026
·
Updated

## Summary A Cross-site Scripting (XSS) vulnerability exists in the `{% attrs %}` template tag of the `slippers` Django package. When a context variable containing untrusted data is passed to `{% attrs %}`, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript into the rendered page. ## Vulnerability details ### Root cause `AttrsNode` is a custom `Node` subclass registered via `register.tag()`. Unlike `register.simple_tag()`, which automatically applies `conditional_escape()` when autoescape is on, custom `Node.render()` methods receive no automatic escaping and are fully responsible for sanitising their output. `attr_string()` fails to do this: ```python def attr_string(key: str, value: Any): if isinstance(value, bool): return key if value else "" key = key.replace("_", "-") return f'{key}="{value}"' # value is not escaped ``` ### Attack scenario Given a template that uses `{% attrs %}` with a user-supplied value: ```django {% load slippers %} <input {% attrs type placeholder %}> ``` ```python render(request, "search.html", {"placeholder": request.GET.get("q", "")}) ``` An attacker crafting a request with `q=" onmouseover="alert(document.cookie)" x="` produces: ```html <input type="text" placeholder="" onmouseover="alert(document.cookie)" x=""> ``` ## Impact Any template that passes values derived from user input, database content, or other untrusted sources to `{% attrs %}` is vulnerable. Successful exploitation can lead to session hijacking, credential theft, arbitrary actions on behalf of the victim, and page defacement. ## Remediation Replace the f-string in `attr_string()` with `format_html()`, which escapes both key and value: ```python from django.utils.html import format_html def attr_string(key: str, value: Any): if isinstance(value, bool): return key if value else "" key = key.replace("_", "-") return format_html('{}="{}"', key, value) ``` Until a patch is available, sanitise untrusted values before passing them to `{% attrs %}`, for example with `django.utils.html.escape()` in the view layer.

Affected Software

2 affected componentsFixes available
pip/slippers<=0.6.2
0.6.3
Django Slippers<=0.6.2

Remediation

Patch Available

https://github.com/mixxorz/slippers/commit/16cc4ef4fa8ad2f7aee30798f16c3e7b653423b2

Event History

Mar 30, 2026
Advisory Published
via GitHub·05:20 PM
Data Sourced
via GitHub·05:20 PM
DescriptionSeverityWeaknessAffected Software
Mar 31, 2026
CVE Published
via MITRE·03:33 PM
Data Sourced
via MITRE·03:33 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·04:16 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·04:16 PM
RemedyAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-34231?

CVE-2026-34231 is considered a medium severity vulnerability due to its potential for Cross-site Scripting (XSS) attacks.

2

How do I fix CVE-2026-34231?

To fix CVE-2026-34231, upgrade the slippers package to version 0.6.3 or later.

3

What systems are affected by CVE-2026-34231?

CVE-2026-34231 affects versions of the slippers package up to and including 0.6.2.

4

Who is impacted by CVE-2026-34231?

Users and developers utilizing the slippers Django package with untrusted context variables in templates are impacted by CVE-2026-34231.

5

What type of vulnerability is CVE-2026-34231?

CVE-2026-34231 is classified as a Cross-site Scripting (XSS) vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203