Cross-site scripting vulnerability in phoenixframework phoenixliveview allows an attacker to bypass URL scheme validation and execute JavaScript in a victim's browser session.
The Phoenix.LiveView.Utils.validdestination!/2 and Phoenix.LiveView.Utils.validlivenavigationdestination!/2 functions in lib/phoenixliveview/utils.ex rely on an internal uri_scheme/1 helper that only detects a scheme when the input's first byte is an ASCII letter. Inputs beginning with an ASCII control character or space fall through to a nil-returning clause, causing the URL to be treated as a safe relative path.
Standard browsers implement the WHATWG URL parser, which strips leading C0 control and space characters before parsing. As a result, an input such as " javascript:alert(1)" is passed unchanged into <.link href={...}> and, when clicked, is parsed by the browser as a javascript: URL that executes attacker-controlled script in the victim's session.
Applications that render user-supplied URLs (for example profile links, redirect targets, or external references) via <.link href={...}> are affected.
This issue affects phoenixliveview: from 1.2.2 before 1.2.7.
{
"cwe_ids": [
"CWE-79"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58228.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "4b63216ae68886db99cf7772af23372d76c40e7e"
},
{
"fixed": "86165533e311469a1b62093fd182d9d874de8106"
}
],
"source": "AFFECTED_FIELD"
}
],
"cna_assigner": "EEF"
}