CVE-2024-53386

Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt