What is the CVSS score of CVE-2026-33664?

CVE-2026-33664 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Kestra are affected by CVE-2026-33664?

Kestra orchestration platform versions up to 1.3.3 contain a stored cross-site scripting vulnerability that allows authenticated flow authors to embed malicious code in flow metadata, which executes…

How to fix or mitigate CVE-2026-33664?

Within 24 hours: Inventory all Kestra deployments and confirm versions affected (up to 1.3.3); restrict access to flow creation/editing to trusted authors only and disable flow sharing with lower-privileged users. Within 7 days: Monitor Kestra advisory channels and vendor GitHub for patch release confirmation; test any released patches in a non-production environment. Within 30 days: Apply patched version immediately upon vendor release confirmation; audit recent flow creation activity for suspicious metadata in description and displayName fields.

Kestra CVE-2026-33664

EUVD-2026-16430 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-03-26 GitHub_M

XSS Kestra

7.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.3 HIGH

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 26, 2026 - 21:31 euvd

EUVD-2026-16430

Analysis Generated

Mar 26, 2026 - 21:31 vuln.today

CVE Published

Mar 26, 2026 - 21:13 nvd

HIGH 7.3

DescriptionGitHub Advisory

Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields - description, inputs[].displayName, inputs[].description - through the Markdown.vue component instantiated with html: true. The resulting HTML is injected into the DOM via Vue's v-html without any sanitization. This allows a flow author to embed arbitrary JavaScript that executes in the browser of any user who views or interacts with the flow. This is distinct from GHSA-r36c-83hm-pc8j / CVE-2026-29082, which covers only FilePreview.vue rendering .md files from execution outputs. The present finding affects different components, different data sources, and requires significantly less user interaction (zero-click for input.displayName). As of time of publication, it is unclear if a patch is available.

AnalysisAI

Cross-site scripting in Kestra orchestration platform versions up to 1.3.3 enables authenticated flow authors to inject arbitrary JavaScript through unsanitized Markdown rendering in flow metadata fields (description, input displayName/description). The malicious scripts execute automatically when other users view the flow in the web UI, requiring zero interaction for input.displayName fields. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious flow YAML with JavaScript in metadata fields

Delivery

Flow author uploads to Kestra platform

Exploit

User views flow details or interacts with interface

Execution

Markdown.vue renders HTML with v-html without sanitization

Impact

Arbitrary JavaScript executes in victim's browser