GHSA-785h-76cm-cpmf: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-785h-76cm-cpmf) affects django-tomselect package versions prior to 2025.3.3, where user-supplied values passed through certain attributes in form widgets are not fully escaped for potentially dangerous tokens. The issue was discovered and disclosed on March 26, 2025, affecting the Django TomSelect widget implementation (GitHub Advisory).

The vulnerability stems from incomplete escaping of dangerous characters in widget attributes, particularly in label_field attributes. When special characters like '<' and '>' are included in the input, they are not properly escaped, resulting in raw values being rendered in the browser. For example, a label containing HTML tags would be partially rendered as valid HTML in the browser's output. While the script tags appear valid in Chrome dev tools, they don't execute code immediately (GitHub Advisory).

The vulnerability affects the display and handling of valid strings containing '<' or '>' characters, including common use cases such as email addresses in widget label fields. While the immediate risk is mitigated since the rendered content doesn't execute automatically, there exists potential for increased risk through other exploitation methods such as code injection (GitHub Advisory).

Users should update to version 2025.3.3, which contains the necessary code and documentation changes to resolve this vulnerability. The update from version 5.3.2 focuses solely on addressing this security issue, making the update process straightforward (GitHub Advisory).