Search criteria
2 vulnerabilities by blitz-js
CVE-2026-9520 (GCVE-0-2026-9520)
Vulnerability from cvelistv5 – Published: 2026-05-26 01:30 – Updated: 2026-05-27 19:59
VLAI
Title
blitz-js blitz Sign-in LoginForm.tsx cross site scripting
Summary
A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the component Sign-in. This manipulation of the argument Next causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365540 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/365540/cti | signaturepermissions-required |
| https://vuldb.com/submit/814378 | third-party-advisory |
| https://gist.github.com/TrebledJ/164c7ca6c8208b63… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9520",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T19:59:28.533557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T19:59:37.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:blitz-js:blitz:*:*:*:*:*:*:*:*"
],
"modules": [
"Sign-in"
],
"product": "blitz",
"vendor": "blitz-js",
"versions": [
{
"status": "affected",
"version": "3.0.0"
},
{
"status": "affected",
"version": "3.0.1"
},
{
"status": "affected",
"version": "3.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "trebledj (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the component Sign-in. This manipulation of the argument Next causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T01:30:09.761Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365540 | blitz-js blitz Sign-in LoginForm.tsx cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/365540"
},
{
"name": "VDB-365540 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365540/cti"
},
{
"name": "Submit #814378 | BlitzJS Blitz 3.0.2 DOM-Based XSS, Open Redirect",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/814378"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/TrebledJ/164c7ca6c8208b63e6937bc11984720b"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-25T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-25T21:17:47.000Z",
"value": "VulDB entry last update"
}
],
"title": "blitz-js blitz Sign-in LoginForm.tsx cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9520",
"datePublished": "2026-05-26T01:30:09.761Z",
"dateReserved": "2026-05-25T19:12:43.499Z",
"dateUpdated": "2026-05-27T19:59:37.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-23631 (GCVE-0-2022-23631)
Vulnerability from cvelistv5 – Published: 2022-02-09 21:55 – Updated: 2024-08-03 03:51
VLAI
Title
Prototype Pollution leading to Remote Code Execution in superjson
Summary
superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue.
Severity
9.1 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/blitz-js/superjson/security/ad… | x_refsource_CONFIRM |
| https://github.com/advisories/GHSA-5888-ffcr-r425 | x_refsource_MISC |
| https://www.sonarsource.com/blog/blitzjs-prototyp… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425"
},
{
"name": "https://github.com/advisories/GHSA-5888-ffcr-r425",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-5888-ffcr-r425"
},
{
"name": "https://www.sonarsource.com/blog/blitzjs-prototype-pollution/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sonarsource.com/blog/blitzjs-prototype-pollution/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "superjson",
"vendor": "blitz-js",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-31T22:33:11.472Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425"
},
{
"name": "https://github.com/advisories/GHSA-5888-ffcr-r425",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/advisories/GHSA-5888-ffcr-r425"
},
{
"name": "https://www.sonarsource.com/blog/blitzjs-prototype-pollution/",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/blitzjs-prototype-pollution/"
}
],
"source": {
"advisory": "GHSA-5888-ffcr-r425",
"discovery": "UNKNOWN"
},
"title": "Prototype Pollution leading to Remote Code Execution in superjson"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23631",
"datePublished": "2022-02-09T21:55:10.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:51:45.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}