Search criteria
1 vulnerability by code16
CVE-2025-62798 (GCVE-0-2025-62798)
Vulnerability from cvelistv5 – Published: 2025-10-28 20:58 – Updated: 2025-10-29 17:31
VLAI?
Summary
Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 .
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-29T17:31:18.507828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T17:31:24.267Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sharp",
"vendor": "code16",
"versions": [
{
"status": "affected",
"version": "\u003c 9.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ \u0026 }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 ."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T20:58:21.793Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7"
},
{
"name": "https://github.com/code16/sharp/pull/654",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/code16/sharp/pull/654"
},
{
"name": "https://github.com/code16/sharp/releases/tag/v9.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/code16/sharp/releases/tag/v9.11.1"
}
],
"source": {
"advisory": "GHSA-9f58-4465-23c7",
"discovery": "UNKNOWN"
},
"title": "Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62798",
"datePublished": "2025-10-28T20:58:21.793Z",
"dateReserved": "2025-10-22T18:55:48.011Z",
"dateUpdated": "2025-10-29T17:31:24.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}