Cross-Site Scripting Vulnerability in Phoenix Framework Live View
CVE-2026-58228

5.1MEDIUM

Key Information:

Vendor
CVE Published:
13 July 2026

What is CVE-2026-58228?

The Phoenix Framework's Live View component has a cross-site scripting vulnerability that enables attackers to bypass URL scheme validation. This issue arises from functions not properly checking incoming URLs, allowing scripts such as 'javascript:alert(1)' to be executed in the victim's browser. The flaw affects applications rendering user-supplied URLs, potentially leading to severe security risks. Affected versions range from 1.2.2 to just before 1.2.7, and users are urged to update to the latest patched version.

Affected Version(s)

phoenix_live_view 1.2.2 < 1.2.7

phoenix_live_view 4b63216ae68886db99cf7772af23372d76c40e7e < 86165533e311469a1b62093fd182d9d874de8106

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Barna Kovacs
Steffen Deusch
José Valim
Jonatan Männchen / EEF
.