Skip to main content

blitz-js blitz EUVD-2026-31781

| CVE-2026-9520 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 VulDB GHSA-h2p9-cr4h-px24
XSS Blitz
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 13:03 vuln.today
Severity Changed
May 26, 2026 - 20:07 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 20:07 NVD
4.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the component Sign-in. This manipulation of the argument Next causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting in blitz-js blitz (versions 3.0.0-3.0.2) allows remote attackers to inject malicious scripts via the 'Next' redirect parameter in the LoginForm component's Sign-in flow. The vulnerability requires passive user interaction (a victim must follow a crafted link) and is limited to low-integrity impact on the vulnerable system per CVSS 4.0 scoring. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious login URL with XSS payload in 'next' parameter
Delivery
Deliver crafted link to victim via phishing
Exploit
Victim loads blitz login page
Execution
Unsanitized 'next' value executes in browser
Impact
Steal session token or redirect to phishing page
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attack requires that the target application was scaffolded using the blitz generator with versions 3.0.0-3.0.2, retaining the unmodified LoginForm.tsx template file. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 is notably low, driven by UI:P (requires victim interaction) and limited impact metrics (VI:L only - no confidentiality or availability impact on either the vulnerable or subsequent systems). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a blitz-js login page with a malicious JavaScript payload injected into the 'next' query parameter (e.g., /login?next=javascript:alert(document.cookie)) and distributes this link via phishing email or social media. A victim who clicks the link and lands on the login page triggers execution of the injected script in their browser context, potentially exposing session cookies or redirecting the user to a credential-harvesting page. …
Remediation No vendor-released patch has been identified at time of analysis - the vendor did not respond to the responsible disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-31781 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy