Cross-Site Scripting in buefy

Severity:: High

Description

Versions of buefy prior to 0.7.2 are vulnerable to Cross-Site Scripting, allowing attackers to manipulate the DOM and execute remote code. The autocomplete list renders user input as HTML without encoding.

Recommendation

Update the buefy package to the latest compatible version. Followings are version details:

Affected version(s): < 0.7.2
Patched version(s): 0.7.2

References

GHSA-xwqw-rf2q-xmhf
www.npmjs.com
CWE-79
OWASP 2021-A3

Related Issues

Vditor Cross-site Scripting vulnerability - CVE-2021-32855
Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6531
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details - CVE-2022-39350
CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package - CVE-2025-58064

Tags:: npm; buefy

Anything's wrong? Let us know Last updated on January 09, 2023