EUVD-2026-16430CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Tags
Description
Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields - description, inputs[].displayName, inputs[].description - through the Markdown.vue component instantiated with html: true. The resulting HTML is injected into the DOM via Vue's v-html without any sanitization. This allows a flow author to embed arbitrary JavaScript that executes in the browser of any user who views or interacts with the flow. This is distinct from GHSA-r36c-83hm-pc8j / CVE-2026-29082, which covers only FilePreview.vue rendering .md files from execution outputs. The present finding affects different components, different data sources, and requires significantly less user interaction (zero-click for input.displayName). As of time of publication, it is unclear if a patch is available.
Analysis
Cross-site scripting in Kestra orchestration platform versions up to 1.3.3 enables authenticated flow authors to inject arbitrary JavaScript through unsanitized Markdown rendering in flow metadata fields (description, input displayName/description). The malicious scripts execute automatically when other users view the flow in the web UI, requiring zero interaction for input.displayName fields. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Kestra deployments and confirm versions affected (up to 1.3.3); restrict access to flow creation/editing to trusted authors only and disable flow sharing with lower-privileged users. Within 7 days: Monitor Kestra advisory channels and vendor GitHub for patch release confirmation; test any released patches in a non-production environment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today