CVE-2025-62798
published 2025-10-28CVE-2025-62798: Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in…
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.20%
9.6th percentile
Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 .
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code16 | sharp | < 9.11.1 | 9.11.1 |
| code16 | sharp | >= 0 < 9.11.1 | 9.11.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
osv·2025-10-29
CVE-2025-62798 [MEDIUM] Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component.
In affected versions, expressions wrapped in `{{` & `}}` were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed.
For example, if a field’s value contains `{{ Math.random() }}`, it will be executed instead of being displayed as text.
### Impact
Attackers who can control content rendered through SharpShowTextField could execute arbitrary JavaScript in the context of an authenticated user’s browser.
This could lead to:
- Theft of user session tokens.
- Unauthorized actions pe
GHSA
Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
ghsa·2025-10-29
CVE-2025-62798 [MEDIUM] CWE-79 Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component.
In affected versions, expressions wrapped in `{{` & `}}` were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed.
For example, if a field’s value contains `{{ Math.random() }}`, it will be executed instead of being displayed as text.
### Impact
Attackers who can control content rendered through SharpShowTextField could execute arbitrary JavaScript in the context of an authenticated user’s browser.
This could lead to:
- Theft of user session tokens.
- Unauthorized actions pe
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-28
Published