CVE-2026-33664
- Source
- https://cve.org/CVERecord?id=CVE-2026-33664
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33664.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-33664
- Aliases
-
- GHSA-v2mc-8q95-g7hp
- Published
- 2026-03-26T21:13:12.467Z
- Modified
- 2026-04-10T05:42:53.058901Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Kestra Vulnerable to Stored Cross-Site Scripting via Flow YAML Fields
- Details
-
Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs[].displayName, inputs[].description — through the Markdown.vue component instantiated with html: true. The resulting HTML is injected into the DOM via Vue's v-html without any sanitization. This allows a flow author to embed arbitrary JavaScript that executes in the browser of any user who views or interacts with the flow. This is distinct from GHSA-r36c-83hm-pc8j / CVE-2026-29082, which covers only FilePreview.vue rendering .md files from execution outputs. The present finding affects different components, different data sources, and requires significantly less user interaction (zero-click for input.displayName). As of time of publication, it is unclear if a patch is available.
- Database specific
{ "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33664.json", "cna_assigner": "GitHub_M" }- References