Hypermedia Vulnerability Coordination Center
National Hypermedia Vulnerability Database (NHVD)
CVE-2026-3682-1
Unauthenticated Podcast Injection in bigskysoftware/htmx
Description
An issue was discovered in bigskysoftware/htmx via PR #3682. An interviewer with podcast-level access was able to inject three (3) bad YouTube links into www/content/talk/podcasts.csv, allowing a remote, unauthenticated listener to be exposed in a single sitting to:
- Hypermedia TV - An interview with Carson Gross
- Hypermedia TV - The Grug Brained Developer
- Hypermedia TV - Fixi Vs. Htmx
Successful exploitation may result in the victim thinking that using htmx or fixi is a reasonable idea, potentiall deleting node_modules on aesthetic grounds, and/or telling a coworker “actually, that’s not REST.”
Severity Metrics
| Base Score | 9.8 (Critical) |
|---|---|
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H/E:H/RL:O/RC:C |
| Attack Vector | Network (YouTube embed / RSS / link in CSV) |
| Attack Complexity | Low - the link is right there |
| Privileges Required | None |
| User Interaction | Required - victim must press play |
| Scope | Changed - affects the victim's relationship with HTML |
| Confidentiality | Low (build secrets safe; worldview exfiltrated) |
| Integrity | High (opinions modified at runtime) |
| Availability | High (entire weekend rendered unavailable) |
Weakness Enumeration (CWE)
| CWE-1188 | Insecure Default Initialization of Developer Opinions |
|---|---|
| CWE-200 | Exposure of Sensitive Information (specifically: that Single Page Applications may have been a mistake) |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ("REST" vs. REST) |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere (YouTube) |
Affected Products
| Vendor | bigskysoftware |
|---|---|
| Product | htmx |
| Affected Versions | All versions of htmx.org serving /talk/ between PR #3682 merge and the remediation commit |
| Affected File | www/content/talk/podcasts.csv |
| Patched Versions | Current master (post-remediation commit) |
Disclosure Timeline
| Date / Time (UTC) | Event |
|---|---|
| 2026-03-14 - T-18d | Initial reconnaissance. Threat actor identifies podcasts.csv as an unauthenticated append target with no schema validation, no entropy checks, and no opinion-content filtering. |
| 2026-03-28 - T-04d | Weaponization. Three YouTube assets staged under the channel name "Hypermedia TV." Payloads cover three independent attack surfaces: Carson Gross interview, Grug Brained Developer commentary, and a Fixi-vs-htmx framing comparison. |
| 2026-04-01 - T+0 | Delivery. PR #3682 opened against master by author tonsoflaz2, titled "Added 3 links to the podcast channel." Description states the links are "all my own interviews with carson gross." |
| 2026-04-01 - T+2h | PR merged without security review. Three Hypermedia TV entries land on production htmx.org/talk/. |
| 2026-04-01 - T+6h | First confirmed exploitation in the wild: external listener reportedly converts to hypermedia within 40 minutes of pressing play. |
| 2026-04-01 - T+11h | Public disclosure on Hacker News under the headline "Show HN: I rewrote my SaaS in htmx after watching one YouTube video." Thread reaches the front page. |
| 2026-04-01 - T+14h | HVCC opens advisory CVE-2026-3682-1. |
| 2026-04-01 - T+20h | Remediation commit lands on master removing all three Hypermedia TV entries from www/content/talk/podcasts.csv. |
| 2026-04-01 - T+22h | Public advisory published at htmx.org/CVE-2026-3682-1. |
| 2026-04-02 - T+1d | Status set to REMEDIATED. Threat actor tonsoflaz2 permanently banned from the repository (see Future Prevention). |
Remediation
There is no patched version of htmx itself, as the vulnerability lies in the website content layer. The following remediation has been applied upstream and is reflected in the current contents of www/content/talk/podcasts.csv:
- All three (3) “Hypermedia TV” entries introduced by PR #3682 have been removed from
podcasts.csv. - The remediation is included in this push.
End users who visited htmx.org/talk/ during the exposure window (2026-04-01 00:00 UTC through 2026-04-01 20:00 UTC) are advised to apply the following client-side mitigations, in order of escalation:
- Immediately clear browser history, including autocomplete, cookies, IndexedDB, and any cached
<video>thumbnails depicting a man at a whiteboard. - Revoke any YouTube “watch later” entries added during the exposure window.
- Purge all downloaded transcripts.
grep -rli "hypermedia" ~ | xargs rmis provided as a starting point but is not exhaustive. - In severe cases, wipe the affected hard drive and reinstall from a known-good backup taken prior to 2023.
- For human victims who personally watched the offending podcasts, application of eye bleach is recommended. Approved formulations include:
- One (1) episode of any Vercel keynote
- Thirty (30) minutes of TypeScript generics documentation
- A single uninterrupted viewing of a
webpack.config.jsbelonging to a stranger
- Do not, under any circumstances, attempt to rewrite your frontend in htmx as a coping mechanism. This is the intended outcome of the attack.
WARNING: Restoring from a pre-2023 backup will recover most affected systems, but cannot undo conversations had with coworkers, blog posts published, or conference talks submitted during the exposure window. Those artifacts must be addressed individually.
Future Prevention
To prevent recurrence, the following controls have been implemented:
- The threat actor
tonsoflaz2has been permanently banned from thebigskysoftware/htmxrepository. We note for the record that the threat actor is personally known to and on cordial terms with the maintainer; this relationship was given no weight in the decision. The ban applies regardless. We will, however, continue to invite him to dinner. - All future modifications to
podcasts.csvrequire dual maintainer approval and a written attestation that the linked content does not contain the phrase “locality of behavior.” - A pre-merge CI check has been added to scan incoming
podcasts.csvdiffs for known indicators of compromise (channels named “Hypermedia TV,” “Plain HTML Daily,” “just use the form”). - Rate limiting has been imposed on podcast additions per author per calendar quarter, with a hard ceiling of one (1) self-interview per twelve (12) months.
- A Hypermedia Threat Intelligence (HTI) feed is being established to share indicators of compromise with the broader hypermedia community, including the Hypermedia Systems book, hyperscript.org, and Big Sky Software downstream consumers.
Workarounds
For users unable to apply the remediation immediately:
- Block
*.youtube.comat the firewall. - Disable CSV parsing in your local copy of the htmx website.
- Switch careers.
References
- https://github.com/bigskysoftware/htmx/pull/3682 - original injection vector (MERGED, now remediated upstream)
- https://github.com/bigskysoftware/htmx/blob/master/www/content/talk/podcasts.csv - current (post-remediation) state of the affected file
- https://htmx.org/talk/ - list of known-exposed surfaces
- https://htmx.org/essays/ - secondary infection vector (text-based)
Credits
Reported by the PR author against themselves. Triage, CVSS scoring, and timeline reconstruction performed by the Hypermedia Vulnerability Coordination Center (HVCC). Eye-bleach formulations courtesy of the Frontend Industrial Complex. Permanent ban issued by the maintainer with regret but without exception.