Reflected Cross-Site Scripting Vulnerability in Mixpost by Inovector
CVE-2026-57958

5.1MEDIUM

Key Information:

Vendor: Inovector
Status: Mixpost
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-57958?

The Mixpost application, up to version 2.6.0, is susceptible to a reflected cross-site scripting (XSS) vulnerability. This issue arises when unauthenticated attackers craft malicious OAuth callback URLs with unsanitized error query parameters. When these URLs are processed by the OAuth callback controller, the vulnerability allows execution of arbitrary JavaScript in the browsers of authenticated users. The failure to properly sanitize these error parameters before being rendered via Laravel flash messages using the Vue v-html directive can lead to session hijacking or unauthorized actions within the application.

Affected Version(s)

mixpost 0 <= 2.6.0

References

https://github.com/inovector/mixpost/issues/204

issue-tracking

https://www.vulncheck.com/advisories/mixpost-reflected-xs...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 26, 2026

Credit

George Chen

CVE-2026-57958 Data

JSON