{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62798", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-10-22T18:55:48.011Z", "datePublished": "2025-10-28T20:58:21.793Z", "dateUpdated": "2025-10-29T17:31:24.267Z"}, "containers": {"cna": {"title": "Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7"}, {"name": "https://github.com/code16/sharp/pull/654", "tags": ["x_refsource_MISC"], "url": "https://github.com/code16/sharp/pull/654"}, {"name": "https://github.com/code16/sharp/releases/tag/v9.11.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/code16/sharp/releases/tag/v9.11.1"}], "affected": [{"vendor": "code16", "product": "sharp", "versions": [{"version": "< 9.11.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-28T20:58:21.793Z"}, "descriptions": [{"lang": "en", "value": "Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 ."}], "source": {"advisory": "GHSA-9f58-4465-23c7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-29T17:31:18.507828Z", "id": "CVE-2025-62798", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-29T17:31:24.267Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62798", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-29T17:31:18.507828Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-29T17:31:21.518Z"}}], "cna": {"title": "Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax", "source": {"advisory": "GHSA-9f58-4465-23c7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "code16", "product": "sharp", "versions": [{"status": "affected", "version": "< 9.11.1"}]}], "references": [{"url": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7", "name": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/code16/sharp/pull/654", "name": "https://github.com/code16/sharp/pull/654", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/code16/sharp/releases/tag/v9.11.1", "name": "https://github.com/code16/sharp/releases/tag/v9.11.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 ."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-28T20:58:21.793Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62798", "state": "PUBLISHED", "dateUpdated": "2025-10-29T17:31:24.267Z", "dateReserved": "2025-10-22T18:55:48.011Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-10-28T20:58:21.793Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 ."}], "id": "CVE-2025-62798", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-10-28T21:15:40.913", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/code16/sharp/pull/654"}, {"source": "security-advisories@github.com", "url": "https://github.com/code16/sharp/releases/tag/v9.11.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-10-29T10:57:41.726817+00:00", "updated": "2025-10-29T10:57:41.726839+00:00", "vendors": ["code16", "code16$PRODUCT$sharp"]}