Browse all 5 CVE security advisories affecting KaTeX. AI-powered Chinese analysis, POCs, and references for each vulnerability.
KaTeX is a fast, easy-to-use JavaScript library for rendering mathematical notation on web pages and in applications. Historically, it has been susceptible to cross-site scripting (XSS) vulnerabilities due to improper input sanitization, allowing attackers to execute malicious scripts in user browsers. Remote code execution risks have also been identified through crafted mathematical expressions that could trigger memory corruption or bypass security controls. While no major public security incidents have been widely reported, the five documented CVEs primarily involve XSS flaws and input validation weaknesses. The library's focus on performance has occasionally resulted in insufficient security hardening, particularly around parsing untrusted mathematical expressions from user inputs or third-party sources.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-23207 | \htmlData does not validate attribute names in KaTeX — KaTeXCWE-116 | 6.3 | Medium | 2025-01-17 |
| CVE-2024-28246 | KaTeX is missing normalization of the protocol in URLs allows bypassing forbidden protocols — KaTeXCWE-184 | 5.5 | Medium | 2024-03-25 |
| CVE-2024-28245 | KaTeX's \includegraphics does not escape filename — KaTeXCWE-116 | 6.3 | Medium | 2024-03-25 |
| CVE-2024-28244 | KaTeX's maxExpand bypassed by Unicode sub/superscripts — KaTeXCWE-674 | 6.5 | Medium | 2024-03-25 |
| CVE-2024-28243 | KaTeX's maxExpand bypassed by \edef — KaTeXCWE-674 | 6.5 | Medium | 2024-03-25 |
This page lists every published CVE security advisory associated with KaTeX. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.