Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A vulnerability has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this issue is the function data.get of the file .claude/skills/design-system/scripts/generate-slide.py of the component Slide Generator. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
AnalysisAI
Cross-site scripting (XSS) vulnerability in nextlevelbuilder ui-ux-pro-max-skill up to version 2.5.0 allows remote attackers to inject malicious scripts via unescaped user input in the Slide Generator component's data.get() function. The vulnerability affects slide generation where user-supplied content (titles, subtitles, company names, feature descriptions) is embedded directly into HTML output without sanitization. Publicly available exploit code exists, and the vendor has released a patch via pull request, though the project has not actively responded to security notifications. CVSS score of 2.1 reflects low severity due to required user interaction, but the public availability of exploit code increases practical exploitation risk.
Technical ContextAI
The vulnerability exists in the generate-slide.py script's Slide Generator component, which dynamically constructs HTML slide content using Python f-strings with unescaped user-supplied data from the data dictionary. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), where the application fails to HTML-escape or URL-validate user inputs before embedding them into HTML attributes and content. The patch introduces two utility functions: _e() for HTML entity escaping using Python's html.escape() for text content, and _safe_url() for URL validation that whitelists safe schemes (http://, https://, #, /) and prevents javascript: URI injection. The vulnerability affects all data fields passed to slide generation functions (badge, title, subtitle, company name, pain point titles/descriptions, feature titles/descriptions, CTA buttons, and metadata fields), which are rendered client-side without sanitization.
RemediationAI
Vendor-released patch: Apply the fix from PR #274, which introduces HTML escaping via the _e() utility function and URL validation via the _safe_url() function (https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/274). This patch wraps all user-supplied data with _e() for text content and _safe_url() for href attributes, preventing HTML/JavaScript injection. Update to the next stable release of ui-ux-pro-max-skill that includes this fix once officially tagged by the maintainers. As a temporary compensating control pending patch deployment, restrict access to the Slide Generator component to trusted users only, and validate/sanitize all slide data inputs externally before passing to the script using a server-side HTML sanitization library (e.g., bleach for Python). Do not allow untrusted external users to upload or import slide definitions. Additionally, deploy a Content Security Policy (CSP) header in any web interface that displays generated slides to restrict script execution to trusted sources only, which will limit the impact of injected XSS payloads.
More in Ui Ux Pro Max Skill
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26720