GHSA-9F58-4465-23C7

Vulnerability from github – Published: 2025-10-29 10:52 – Updated: 2025-10-29 10:52
VLAI?
Summary
Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
Details

A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component.

In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed.

For example, if a field’s value contains {{ Math.random() }}, it will be executed instead of being displayed as text.

Impact

Attackers who can control content rendered through SharpShowTextField could execute arbitrary JavaScript in the context of an authenticated user’s browser.

This could lead to:

  • Theft of user session tokens.
  • Unauthorized actions performed on behalf of users.
  • Injection of malicious content into the admin panel.

Patches

The issue has been fixed in v9.11.1 of code16/sharp package.

Mitigation / Workarounds

Sanitize or encode any user-provided data that may include ({{ & }}) before displaying it in a SharpShowTextField.

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "code16/sharp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-29T10:52:08Z",
    "nvd_published_at": "2025-10-28T21:15:40Z",
    "severity": "MODERATE"
  },
  "details": "A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component.\n\nIn affected versions, expressions wrapped in `{{` \u0026 `}}` were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed.\n\nFor example, if a field\u2019s value contains `{{ Math.random() }}`, it will be executed instead of being displayed as text.\n\n### Impact\n\nAttackers who can control content rendered through SharpShowTextField could execute arbitrary JavaScript in the context of an authenticated user\u2019s browser.\n\nThis could lead to:\n\n- Theft of user session tokens.\n- Unauthorized actions performed on behalf of users.\n- Injection of malicious content into the admin panel.\n\n### Patches\n\nThe issue has been fixed in v9.11.1 of code16/sharp package.\n\n### Mitigation / Workarounds\n\nSanitize or encode any user-provided data that may include (`{{` \u0026 `}}`) before displaying it in a SharpShowTextField.",
  "id": "GHSA-9f58-4465-23c7",
  "modified": "2025-10-29T10:52:08Z",
  "published": "2025-10-29T10:52:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62798"
    },
    {
      "type": "WEB",
      "url": "https://github.com/code16/sharp/pull/654"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ViktorMares/vue-js-xss-payload-list"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/code16/sharp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/code16/sharp/releases/tag/v9.11.1"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@sid0krypt/vue-js-reflected-xss-fae04c9872d2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.