Refine your search
1 vulnerability found for by code16
CVE-2025-62798 (GCVE-0-2025-62798)
Vulnerability from cvelistv5
Published
2025-10-28 20:58
Modified
2025-10-29 17:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 .
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-29T17:31:18.507828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T17:31:24.267Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sharp",
"vendor": "code16",
"versions": [
{
"status": "affected",
"version": "\u003c 9.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ \u0026 }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 ."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-28T20:58:21.793Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7"
},
{
"name": "https://github.com/code16/sharp/pull/654",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/code16/sharp/pull/654"
},
{
"name": "https://github.com/code16/sharp/releases/tag/v9.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/code16/sharp/releases/tag/v9.11.1"
}
],
"source": {
"advisory": "GHSA-9f58-4465-23c7",
"discovery": "UNKNOWN"
},
"title": "Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62798",
"datePublished": "2025-10-28T20:58:21.793Z",
"dateReserved": "2025-10-22T18:55:48.011Z",
"dateUpdated": "2025-10-29T17:31:24.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}