{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24474", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T00:38:20.547Z", "datePublished": "2026-01-23T23:50:35.700Z", "dateUpdated": "2026-01-26T17:07:29.574Z"}, "containers": {"cna": {"title": "Dioxus Components has JavaScript injection via user-supplied IDs", "problemTypes": [{"descriptions": [{"cweId": "CWE-95", "lang": "en", "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69"}, {"name": "https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a", "tags": ["x_refsource_MISC"], "url": "https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a"}], "affected": [{"vendor": "DioxusLabs", "product": "components", "versions": [{"version": "< 41e4242ecb1062d04ae42a5215363c1d9fd4e23a", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-23T23:50:35.700Z"}, "descriptions": [{"lang": "en", "value": "Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue."}], "source": {"advisory": "GHSA-34pj-292j-xr69", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T17:06:47.464060Z", "id": "CVE-2026-24474", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T17:07:29.574Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24474", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T00:38:20.547Z", "datePublished": "2026-01-23T23:50:35.700Z", "dateUpdated": "2026-01-26T17:07:29.574Z"}, "containers": {"cna": {"title": "Dioxus Components has JavaScript injection via user-supplied IDs", "problemTypes": [{"descriptions": [{"cweId": "CWE-95", "lang": "en", "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69"}, {"name": "https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a", "tags": ["x_refsource_MISC"], "url": "https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a"}], "affected": [{"vendor": "DioxusLabs", "product": "components", "versions": [{"version": "< 41e4242ecb1062d04ae42a5215363c1d9fd4e23a", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-23T23:50:35.700Z"}, "descriptions": [{"lang": "en", "value": "Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue."}], "source": {"advisory": "GHSA-34pj-292j-xr69", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24474", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T17:06:47.464060Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T17:07:14.900Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue."}, {"lang": "es", "value": "Dioxus Components es una librer\u00eda de componentes estilo shadcn para el framework de aplicaciones Dioxus. Antes del commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formatea una cadena para `eval` con un `id` que puede ser proporcionado por el usuario. El commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a parchea el problema."}], "id": "CVE-2026-24474", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-24T00:15:49.603", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a"}, {"source": "security-advisories@github.com", "url": "https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-95"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:09:43.536666+00:00", "value": {"mitigation_remediation": ["Update the Dioxus Components library to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a or a later stable release.", "Sanitize or remove any user-supplied IDs before they reach the use_animated_open helper, ensuring that eval is never called with uncontrolled data.", "Audit the application for any other instances of eval or dynamic code execution with user input and refactor those areas to use safe alternatives."], "summary": {"action": "Apply Patch", "impact": "Code Execution via JavaScript injection"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of DioxusLabs:components before commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a. Any application that imports the components library and uses the use_animated_open helper with user\u2011supplied ID values is affected. Updating to the patched commit or any subsequent release eliminates the flaw.", "description_and_impact": "A flaw in the Dioxus Components library causes the use_animated_open helper to build a string that is later run through JavaScript's eval function, using an identifier that can be controlled by the end user. If an attacker supplies a specially crafted ID, arbitrary JavaScript code will execute in the context of the browser window that renders the component. This introduces the potential for cross\u2011site scripting, theft of credentials stored in the client, or modification of the page\u2019s content, resulting in a loss of confidentiality and integrity for users of applications that embed this component.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate risk, and the EPSS score of less than 1% suggests that exploit attempts are currently unlikely. The vulnerability is not listed in CISA\u2019s KEV catalog, and there are no public exploit references. The attack requires elevation of a user\u2011supplied ID value to the component rendering code, which means a malicious actor could craft an input that triggers eval when the component is rendered. Because the flaw uses eval on controlled data, it is considered a code injection risk (CWE\u201194, CWE\u201195)."}}}}, "created": "2026-01-26T11:48:50.003582+00:00", "updated": "2026-04-18T15:15:03.694221+00:00", "vendors": ["dioxuslabs", "dioxuslabs$PRODUCT$components"]}