Sharp user-provided input can be evaluated in a SharpShowTextField with...

5.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 .

Basic Information

ID CVE-2025-62798

Source GitHub_M

Published Oct 28, 2025 at 20:58

Affected Product

Vendor code16

Product sharp

Version < 9.11.1

Affected Versions code16 sharp < 9.11.1

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 .",
    "published": "2025-10-28T20:58:21.793Z",
    "modified": "2025-10-28T20:58:21.793Z",
    "type": "cve",
    "title": "Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax",
    "source": "GitHub_M",
    "references": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7\nhttps://github.com/code16/sharp/pull/654\nhttps://github.com/code16/sharp/releases/tag/v9.11.1",
    "id": "CVE-2025-62798",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "code16 sharp < 9.11.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "sharp",
    "version": "< 9.11.1",
    "vendor": "code16",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax_CVE-2025-62798