HIGH Severity XSS Vulnerability Detected in homeschool-hero FileUpload Component

A high-severity cross-site scripting vulnerability has been flagged in the homeschool-hero codebase, specifically within the FileUpload.tsx component. CodeQL's automated security scanner identified the flaw at line 275 of the frontend file, where DOM text is being reinterpreted as HTML without proper escaping of meta-characters. The finding, logged on May 9, 2026, carries a HIGH severity rating and points to a classic DOM-based XSS attack vector that could allow malicious actors to inject arbitrary code through user-controlled input.

The vulnerability stems from how the application extracts text from a DOM node and subsequently interprets it as HTML. This pattern is a well-documented security risk: when untrusted data flows from a DOM source into an HTML sink without sanitization, attackers can craft payloads that execute JavaScript in victims' browsers. The affected component, FileUpload.tsx, handles file upload functionality on the frontend, a feature that typically processes user-supplied filenames, metadata, or displayed content—all potential injection points. CodeQL detected two separate instances where DOM text undergoes this dangerous reinterpretation, suggesting the issue may be systemic within the component rather than an isolated oversight.

No fixed version or remediation patch has been provided yet, leaving the vulnerability unaddressed. The likely code owner has been identified as Venkman, a frontend developer responsible for the client-side codebase. While the finding originates from automated scanning rather than active exploitation reports, DOM-based XSS vulnerabilities are frequently leveraged in real-world attacks to steal session cookies, redirect users, or perform actions on behalf of authenticated users. The absence of a provided fix increases the window of exposure, particularly if the FileUpload component is accessible to unauthenticated users or processes externally sourced filenames. Development teams should prioritize input sanitization and output encoding as immediate countermeasures.