CVE-2026-34231 MEDIUM

CVE-2026-34231: Slippers: Cross-Site Scripting (XSS) in `attrs` Template Tag

Vendor Mixxorz
Product slippers
Weakness CWE-79 · XSS
Published March 31, 2026
Last update March 31, 2026

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript into the rendered page. This issue has been patched in version 0.6.3.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
March 31, 2026 Record updated