{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1461", "assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "state": "PUBLISHED", "assignerShortName": "HeroDevs", "dateReserved": "2025-02-18T20:50:31.387Z", "datePublished": "2025-05-28T17:26:51.320Z", "dateUpdated": "2025-05-29T19:02:08.446Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected", "packageName": "vuetify", "product": "Vuetify", "repo": "https://github.com/vuetifyjs/vuetify", "vendor": "N/A", "versions": [{"status": "affected", "version": ">=2.0.0 <3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "abze"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper neutralization of the value of the '<tt>eventMoreText</tt>' property of the '<tt><span style=\"background-color: rgb(255, 255, 255);\">VCalendar</span></tt><span style=\"background-color: rgb(255, 255, 255);\">' component&nbsp;</span>in Vuetify allows unsanitized HTML to be inserted into the page. This can lead to a&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/xss\">Cross-Site Scripting (XSS)</a>&nbsp;attack. The vulnerability occurs because the default Vuetify translator will return the translation key as the translation, if it can't find an actual translation.<br><br>This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.<br><br><b>Note:</b><br>Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see <a target=\"_blank\" rel=\"nofollow\" href=\"https://v2.vuetifyjs.com/en/about/eol/\">here</a>.<br>"}], "value": "Improper neutralization of the value of the 'eventMoreText' property of the 'VCalendar' component\u00a0in Vuetify allows unsanitized HTML to be inserted into the page. This can lead to a\u00a0 Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss \u00a0attack. The vulnerability occurs because the default Vuetify translator will return the translation key as the translation, if it can't find an actual translation.\n\nThis issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.\n\nNote:\nVersion 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ ."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "shortName": "HeroDevs", "dateUpdated": "2025-05-28T17:27:41.127Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.herodevs.com/vulnerability-directory/cve-2025-1461"}, {"tags": ["technical-description", "exploit"], "url": "https://github.com/neverendingsupport/nes-vuetify-cve-2025-1461"}], "source": {"discovery": "UNKNOWN"}, "tags": ["unsupported-when-assigned", "x_open-source"], "title": "Vuetify XSS through 'eventMoreText' prop of VCalendar", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-29T19:01:31.139781Z", "id": "CVE-2025-1461", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-29T19:02:08.446Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1461", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-29T19:01:31.139781Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-29T19:01:40.348Z"}}], "cna": {"tags": ["unsupported-when-assigned", "x_open-source"], "title": "Vuetify XSS through 'eventMoreText' prop of VCalendar", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "abze"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/vuetifyjs/vuetify", "vendor": "N/A", "product": "Vuetify", "versions": [{"status": "affected", "version": ">=2.0.0 <3.0.0", "versionType": "semver"}], "packageName": "vuetify", "collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-1461", "tags": ["third-party-advisory"]}, {"url": "https://github.com/neverendingsupport/nes-vuetify-cve-2025-1461", "tags": ["technical-description", "exploit"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper neutralization of the value of the 'eventMoreText' property of the 'VCalendar' component\u00a0in Vuetify allows unsanitized HTML to be inserted into the page. This can lead to a\u00a0 Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss \u00a0attack. The vulnerability occurs because the default Vuetify translator will return the translation key as the translation, if it can't find an actual translation.\n\nThis issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.\n\nNote:\nVersion 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .", "supportingMedia": [{"type": "text/html", "value": "Improper neutralization of the value of the '<tt>eventMoreText</tt>' property of the '<tt><span style=\"background-color: rgb(255, 255, 255);\">VCalendar</span></tt><span style=\"background-color: rgb(255, 255, 255);\">' component&nbsp;</span>in Vuetify allows unsanitized HTML to be inserted into the page. This can lead to a&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/xss\">Cross-Site Scripting (XSS)</a>&nbsp;attack. The vulnerability occurs because the default Vuetify translator will return the translation key as the translation, if it can't find an actual translation.<br><br>This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.<br><br><b>Note:</b><br>Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see <a target=\"_blank\" rel=\"nofollow\" href=\"https://v2.vuetifyjs.com/en/about/eol/\">here</a>.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "shortName": "HeroDevs", "dateUpdated": "2025-05-28T17:27:41.127Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1461", "state": "PUBLISHED", "dateUpdated": "2025-05-29T19:02:08.446Z", "dateReserved": "2025-02-18T20:50:31.387Z", "assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c", "datePublished": "2025-05-28T17:26:51.320Z", "assignerShortName": "HeroDevs"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Improper neutralization of the value of the 'eventMoreText' property of the 'VCalendar' component\u00a0in Vuetify allows unsanitized HTML to be inserted into the page. This can lead to a\u00a0 Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss \u00a0attack. The vulnerability occurs because the default Vuetify translator will return the translation key as the translation, if it can't find an actual translation.\n\nThis issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.\n\nNote:\nVersion 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ ."}, {"lang": "es", "value": "La neutralizaci\u00f3n incorrecta del valor de la propiedad 'eventMoreText' del componente 'VCalendar' en Vuetify permite la inserci\u00f3n de HTML no saneado en la p\u00e1gina. Esto puede provocar un ataque de Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss. La vulnerabilidad se produce porque el traductor predeterminado de Vuetify devolver\u00e1 la clave de traducci\u00f3n como traducci\u00f3n si no encuentra una traducci\u00f3n real. Este problema afecta a las versiones de Vuetify superiores o iguales a la 2.0.0 y anteriores a la 3.0.0. Nota: La versi\u00f3n 2.x de Vuetify ha finalizado su ciclo de vida y no recibir\u00e1 actualizaciones para solucionar este problema. Para m\u00e1s informaci\u00f3n, consulte https://v2.vuetifyjs.com/en/about/eol/."}], "id": "CVE-2025-1461", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "type": "Secondary"}]}, "published": "2025-05-28T18:15:25.953", "references": [{"source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "url": "https://github.com/neverendingsupport/nes-vuetify-cve-2025-1461"}, {"source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "url": "https://www.herodevs.com/vulnerability-directory/cve-2025-1461"}], "sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "type": "Secondary"}]}

{}

{}