EUVD-2026-31781
GHSA-h2p9-cr4h-px24
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the component Sign-in. This manipulation of the argument Next causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Cross-site scripting in blitz-js blitz (versions 3.0.0-3.0.2) allows remote attackers to inject malicious scripts via the 'Next' redirect parameter in the LoginForm component's Sign-in flow. The vulnerability requires passive user interaction (a victim must follow a crafted link) and is limited to low-integrity impact on the vulnerable system per CVSS 4.0 scoring. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attack requires that the target application was scaffolded using the blitz generator with versions 3.0.0-3.0.2, retaining the unmodified LoginForm.tsx template file. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 2.1 is notably low, driven by UI:P (requires victim interaction) and limited impact metrics (VI:L only - no confidentiality or availability impact on either the vulnerable or subsequent systems). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to a blitz-js login page with a malicious JavaScript payload injected into the 'next' query parameter (e.g., /login?next=javascript:alert(document.cookie)) and distributes this link via phishing email or social media. A victim who clicks the link and lands on the login page triggers execution of the injected script in their browser context, potentially exposing session cookies or redirecting the user to a credential-harvesting page. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the vendor did not respond to the responsible disclosure. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today