Cross-Site Scripting Vulnerability in Phoenix Framework Live View
CVE-2026-58228
5.1MEDIUM
What is CVE-2026-58228?
The Phoenix Framework's Live View component has a cross-site scripting vulnerability that enables attackers to bypass URL scheme validation. This issue arises from functions not properly checking incoming URLs, allowing scripts such as 'javascript:alert(1)' to be executed in the victim's browser. The flaw affects applications rendering user-supplied URLs, potentially leading to severe security risks. Affected versions range from 1.2.2 to just before 1.2.7, and users are urged to update to the latest patched version.
Affected Version(s)
phoenix_live_view 1.2.2 < 1.2.7
phoenix_live_view 4b63216ae68886db99cf7772af23372d76c40e7e < 86165533e311469a1b62093fd182d9d874de8106
References
CVSS V4
Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Barna Kovacs
Steffen Deusch
José Valim
Jonatan Männchen / EEF
