Kestra
Monthly
Cross-site scripting in Kestra orchestration platform versions up to 1.3.3 enables authenticated flow authors to inject arbitrary JavaScript through unsanitized Markdown rendering in flow metadata fields (description, input displayName/description). The malicious scripts execute automatically when other users view the flow in the web UI, requiring zero interaction for input.displayName fields. This vulnerability (CVSS 7.3) differs from CVE-2026-29082 and affects different components with lower interaction requirements. No public exploit identified at time of analysis, and patch availability remains unconfirmed per the advisory.
Kestra versions 1.1.10 and earlier allow authenticated users to perform cross-site scripting (XSS) attacks through the execution-file preview feature, which renders unsanitized Markdown as HTML. An attacker with login credentials can inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or credential theft. Public exploit code exists and no patch is currently available.
Cross-site scripting in Kestra orchestration platform versions up to 1.3.3 enables authenticated flow authors to inject arbitrary JavaScript through unsanitized Markdown rendering in flow metadata fields (description, input displayName/description). The malicious scripts execute automatically when other users view the flow in the web UI, requiring zero interaction for input.displayName fields. This vulnerability (CVSS 7.3) differs from CVE-2026-29082 and affects different components with lower interaction requirements. No public exploit identified at time of analysis, and patch availability remains unconfirmed per the advisory.
Kestra versions 1.1.10 and earlier allow authenticated users to perform cross-site scripting (XSS) attacks through the execution-file preview feature, which renders unsanitized Markdown as HTML. An attacker with login credentials can inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or credential theft. Public exploit code exists and no patch is currently available.