Blitz
Monthly
Cross-site scripting in blitz-js blitz (versions 3.0.0-3.0.2) allows remote attackers to inject malicious scripts via the 'Next' redirect parameter in the LoginForm component's Sign-in flow. The vulnerability requires passive user interaction (a victim must follow a crafted link) and is limited to low-integrity impact on the vulnerable system per CVSS 4.0 scoring. Publicly available exploit code exists (GitHub Gist), though EPSS stands at 0.03% (9th percentile) indicating low observed exploitation probability, and it is not listed in CISA KEV. The vendor did not respond to responsible disclosure, meaning no patch has been released.
Cross-site scripting in blitz-js blitz (versions 3.0.0-3.0.2) allows remote attackers to inject malicious scripts via the 'Next' redirect parameter in the LoginForm component's Sign-in flow. The vulnerability requires passive user interaction (a victim must follow a crafted link) and is limited to low-integrity impact on the vulnerable system per CVSS 4.0 scoring. Publicly available exploit code exists (GitHub Gist), though EPSS stands at 0.03% (9th percentile) indicating low observed exploitation probability, and it is not listed in CISA KEV. The vendor did not respond to responsible disclosure, meaning no patch has been released.