JavaScript is a high-level, interpreted programming language essential for creating interactive web applications, running directly in web browsers to enable dynamic content and user interface enhancements. It is integral to the web development stack, working seamlessly with HTML and CSS to build responsive and feature-rich websites.

JavaScript

### Summary
A server-side rendered `<textarea>` with two-way bound value does not have its value correctly escaped in the rendered HTML.
### Details
In SSR, `<textarea bind:value={...}>` does not have its value escaped when it is rendered into the HTML as `<textarea>...</textarea>`.
### PoC
Put this in a server-side-rendered Svelte component:
```
<script>
  let value = `test'"></textarea><script` + `>alert('BIM');</sc` + `ript>`;
</script>
<textarea bind:value />
```
### Impact
- Only affects SSR
- Needs a `<textarea bind:value>` filled by user content via two-way binding

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-23744	CRITICAL	9.8	JavaScript	@mcpjam/inspector	No	Yes	Jan 16, 2026
CVE-2026-23735	HIGH	8.7	JavaScript	graphql-modules	No	Yes	Jan 16, 2026
GHSA-gw32-9rmw-qwww	HIGH	8.4	JavaScript	svelte	No	Yes	Jan 16, 2026
CVE-2026-23745	HIGH	8.2	JavaScript	argo-workflows-fips-3.6	No	Yes	Jan 16, 2026
GHSA-38cw-85xc-xr9x	MEDIUM	6.8	JavaScript	@veramo/data-store	No	Yes	Jan 16, 2026

GHSA-gw32-9rmw-qwww:
JavaScript vulnerability analysis and mitigation

Summary

Details

PoC

Impact

8.4

Related JavaScript vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

GHSA-gw32-9rmw-qwww: JavaScript vulnerability analysis and mitigation