CVE-2026-58228

Source
https://cve.org/CVERecord?id=CVE-2026-58228
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58228.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58228
Aliases
Published
2026-07-13T18:04:30.636Z
Modified
2026-07-16T03:46:36.465830814Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
Scheme validation bypass in Phoenix.LiveView.Utils leads to XSS via <.link>
Details

Cross-site scripting vulnerability in phoenixframework phoenixliveview allows an attacker to bypass URL scheme validation and execute JavaScript in a victim's browser session.

The Phoenix.LiveView.Utils.validdestination!/2 and Phoenix.LiveView.Utils.validlivenavigationdestination!/2 functions in lib/phoenixliveview/utils.ex rely on an internal uri_scheme/1 helper that only detects a scheme when the input's first byte is an ASCII letter. Inputs beginning with an ASCII control character or space fall through to a nil-returning clause, causing the URL to be treated as a safe relative path.

Standard browsers implement the WHATWG URL parser, which strips leading C0 control and space characters before parsing. As a result, an input such as " javascript:alert(1)" is passed unchanged into <.link href={...}> and, when clicked, is parsed by the browser as a javascript: URL that executes attacker-controlled script in the victim's session.

Applications that render user-supplied URLs (for example profile links, redirect targets, or external references) via <.link href={...}> are affected.

This issue affects phoenixliveview: from 1.2.2 before 1.2.7.

Database specific
{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58228.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "4b63216ae68886db99cf7772af23372d76c40e7e"
                },
                {
                    "fixed": "86165533e311469a1b62093fd182d9d874de8106"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "EEF"
}
References

Affected packages

Git / github.com/phoenixframework/phoenix_live_view

Affected ranges

Type
GIT
Repo
https://github.com/phoenixframework/phoenix_live_view
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.2.2"
        },
        {
            "fixed": "1.2.7"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

v1.*
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58228.json"