9 matches found
CVE-2026-33664
Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs.displayName, inputs.description — through the Markdown.vue component instantiated with html: true. The resulting HTML is injected...
CVE-2026-33664
Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs.displayName, inputs.description — through the Markdown.vue component instantiated with html: true. The resulting HTML is injected...
CVE-2026-33664 Kestra Vulnerable to Stored Cross-Site Scripting via Flow YAML Fields
Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs.displayName, inputs.description — through the Markdown.vue component instantiated with html: true. The resulting HTML is injected...
CVE-2026-33664
Kestra 1.x (up to 1.3.3) is vulnerable to Stored Cross-Site Scripting in Markdown-based YAML flow metadata. The issue arises when user-supplied flow YAML fields—specifically description, inputs[].displayName, and inputs[].description—are rendered by Markdown.vue with html: true and then injected ...
PT-2026-28508
Name of the Vulnerable Software and Affected Versions Kestra versions up to and including 1.3.3 Description Kestra is an open-source, event-driven orchestration platform. Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields – description, inputs.displayName,...
CVE-2025-67750
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new...
CVE-2025-67750
Lightning Flow Scanner is affected through versions 6.10.5 and earlier, where the APIVersion rule uses unsafe evaluation with new Function() to process expression strings. A maliciously crafted flow metadata file or rule configuration can cause arbitrary JavaScript execution during scanning, pote...
CVE-2025-67750 Lightning Flow Scanner is Vulnerable to Code Injection via Unsafe Use of new Function() in APIVersion Rule
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new...
lightning-flow-scanner 代码注入漏洞
lightning-flow-scanner is an open source command line automation plugin for Lightning Flow Scanner. A code injection vulnerability exists in lightning-flow-scanner version 6.10.5 and earlier, which stems from a maliciously constructed flow metadata file that could lead to arbitrary JavaScript...