CodeQL Flags Unpatched DOM-Based XSS in Homeschool Hero FileUpload Component; Venkman Named Likely Owner

A high-severity cross-site scripting vulnerability has been identified in the frontend infrastructure of homeschool-hero, the open-source project maintained by user x3nc0n. The flaw, detected by GitHub's CodeQL security scanner on May 11, 2026, affects client-side code responsible for handling file uploads and involves DOM text being reinterpreted as HTML without proper meta-character escaping.

The vulnerability resides in frontend/src/components/features/FileUpload.tsx at line 276. According to the CodeQL finding (identifier: js/xss-through-dom), the affected code fails to sanitize DOM text before it is reinterpreted as HTML, creating a potential injection vector for malicious scripts. The issue was flagged in a dedicated security scan workflow and has been classified with HIGH severity. Notably, no fixed version has been provided, and the component remains exposed pending remediation. Frontend developer Venkman has been flagged as the likely owner of the affected code.

DOM-based XSS vulnerabilities allow attackers to execute arbitrary JavaScript in a victim's browser when the application reflects untrusted input from the DOM into executable HTML. In a file upload context, this could potentially enable session hijacking, credential theft, or the injection of malicious content into pages served to other users. Security researchers warn that the absence of a confirmed patch elevates the risk for any instance where untrusted user content may flow through the affected component. The homeschool-hero maintainers face pressure to address the finding before the vulnerability is publicly exploited.