CVE-2026-33664

{"id": "CVE-2026-33664", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-03-26T22:16:29.727", "references": [{"url": "https://github.com/kestra-io/kestra/security/advisories/GHSA-v2mc-8q95-g7hp", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kestra-io/kestra/security/advisories/GHSA-v2mc-8q95-g7hp", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields \u2014 description, inputs[].displayName, inputs[].description \u2014 through the Markdown.vue component instantiated with html: true. The resulting HTML is injected into the DOM via Vue's v-html without any sanitization. This allows a flow author to embed arbitrary JavaScript that executes in the browser of any user who views or interacts with the flow. This is distinct from GHSA-r36c-83hm-pc8j / CVE-2026-29082, which covers only FilePreview.vue rendering .md files from execution outputs. The present finding affects different components, different data sources, and requires significantly less user interaction (zero-click for input.displayName). As of time of publication, it is unclear if a patch is available."}, {"lang": "es", "value": "Kestra es una plataforma de orquestaci\u00f3n de c\u00f3digo abierto impulsada por eventos. Las versiones hasta la 1.3.3 inclusive renderizan los campos de metadatos YAML de flujo proporcionados por el usuario \u2014 description, inputs[].displayName, inputs[].description \u2014 a trav\u00e9s del componente Markdown.vue instanciado con html: true. El HTML resultante se inyecta en el DOM a trav\u00e9s de v-html de Vue sin ninguna sanitizaci\u00f3n. Esto permite a un autor de flujo incrustar JavaScript arbitrario que se ejecuta en el navegador de cualquier usuario que vea o interact\u00fae con el flujo. Esto es distinto de GHSA-r36c-83hm-pc8j / CVE-2026-29082, que cubre solo la renderizaci\u00f3n de archivos .md por FilePreview.vue a partir de las salidas de ejecuci\u00f3n. El hallazgo actual afecta a diferentes componentes, diferentes fuentes de datos y requiere significativamente menos interacci\u00f3n del usuario (cero clics para input.displayName). Al momento de la publicaci\u00f3n, no est\u00e1 claro si hay un parche disponible."}], "lastModified": "2026-03-31T01:48:34.413", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kestra:kestra:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "607D5BF1-96C9-4F37-B94C-EA1A224FAFAD", "versionEndIncluding": "1.3.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}