## Homeschool Hero Repository Carries Unpatched DOM-Based XSS in File Upload Component
A CodeQL security scan has flagged a high-severity cross-site scripting vulnerability in the `homeschool-hero` repository managed by user `x3nc0n`. The flaw, classified as `js/xss-through-dom`, resides in `frontend/src/components/features/FileUpload.tsx` at line 273. The scanner identified that DOM text is being reinterpreted as HTML without escaping meta-characters, creating a potential injection pathway for malicious scripts executed through the file upload interface.

The vulnerability was detected on May 9, 2026, during an automated CodeQL workflow run. Remediation guidance indicates that when a webpage reads text from the DOM and subsequently interprets it as HTML, unescaped meta-characters can enable XSS attacks. The affected code falls under the frontend client-side logic, with the likely ownership attributed to Venkman, identified as a frontend developer. Notably, the scan reports that a fixed version has not yet been provided, leaving the vulnerability open at the time of detection.

DOM-based XSS flaws are particularly insidious because they operate entirely on the client side, making server-side logging and traditional WAF signatures less effective at detection. File upload components are frequent targets because they handle user-controlled input and often interact with the DOM to display previews, filenames, or validation feedback. If exploited, an attacker could inject scripts that execute in the context of other users' browsers, potentially hijacking sessions, stealing credentials, or altering application behavior. The absence of a documented patch timeline raises the risk that the vulnerable code remains in production use.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: xss, dom-based-xss, codeql, security-vulnerability, fileupload
- **Credibility**: unverified
- **Published**: 2026-05-09 23:31:51
- **ID**: 81322
- **URL**: https://whisperx.ai/en/intel/81322