{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29082", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T20:51:43.483Z", "datePublished": "2026-03-06T16:33:31.961Z", "dateUpdated": "2026-03-09T14:59:32.254Z"}, "containers": {"cna": {"title": "Kestra: Stored Cross-Site Scripting in Markdown File Preview", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kestra-io/kestra/security/advisories/GHSA-r36c-83hm-pc8j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kestra-io/kestra/security/advisories/GHSA-r36c-83hm-pc8j"}, {"name": "https://github.com/kestra-io/kestra/releases/tag/v1.0.30", "tags": ["x_refsource_MISC"], "url": "https://github.com/kestra-io/kestra/releases/tag/v1.0.30"}], "affected": [{"vendor": "kestra-io", "product": "kestra", "versions": [{"version": "<= 1.1.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T16:33:31.961Z"}, "descriptions": [{"lang": "en", "value": "Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra\u2019s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting HTML with Vue\u2019s v-html without sanitisation. At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-r36c-83hm-pc8j", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/kestra-io/kestra/security/advisories/GHSA-r36c-83hm-pc8j", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T14:59:28.908853Z", "id": "CVE-2026-29082", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:59:32.254Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29082", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T14:59:28.908853Z"}}}], "references": [{"url": "https://github.com/kestra-io/kestra/security/advisories/GHSA-r36c-83hm-pc8j", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:59:18.883Z"}}], "cna": {"title": "Kestra: Stored Cross-Site Scripting in Markdown File Preview", "source": {"advisory": "GHSA-r36c-83hm-pc8j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kestra-io", "product": "kestra", "versions": [{"status": "affected", "version": "<= 1.1.10"}]}], "references": [{"url": "https://github.com/kestra-io/kestra/security/advisories/GHSA-r36c-83hm-pc8j", "name": "https://github.com/kestra-io/kestra/security/advisories/GHSA-r36c-83hm-pc8j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kestra-io/kestra/releases/tag/v1.0.30", "name": "https://github.com/kestra-io/kestra/releases/tag/v1.0.30", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra\u2019s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting HTML with Vue\u2019s v-html without sanitisation. At time of publication, there are no publicly available patches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T16:33:31.961Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29082", "state": "PUBLISHED", "dateUpdated": "2026-03-09T14:59:32.254Z", "dateReserved": "2026-03-03T20:51:43.483Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T16:33:31.961Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kestra:kestra:*:*:*:*:*:*:*:*", "matchCriteriaId": "994D68C7-7BA6-4004-ABB4-061D0F4B308D", "versionEndIncluding": "1.1.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra\u2019s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting HTML with Vue\u2019s v-html without sanitisation. At time of publication, there are no publicly available patches."}, {"lang": "es", "value": "Kestra es una plataforma de orquestaci\u00f3n basada en eventos. En versiones desde la 1.1.10 y anteriores, la vista previa de archivos de ejecuci\u00f3n de Kestra renderiza Markdown (.md) proporcionado por el usuario con markdown-it instanciado como html:true e inyecta el HTML resultante con el v-html de Vue sin sanitizaci\u00f3n. En el momento de la publicaci\u00f3n, no hay parches disponibles p\u00fablicamente."}], "id": "CVE-2026-29082", "lastModified": "2026-03-10T21:00:33.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-06T17:16:34.347", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/kestra-io/kestra/releases/tag/v1.0.30"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/kestra-io/kestra/security/advisories/GHSA-r36c-83hm-pc8j"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/kestra-io/kestra/security/advisories/GHSA-r36c-83hm-pc8j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "kestra", "source": "cna", "vendor": "kestra-io"}, "product": "kestra", "vendor": "kestra-io"}], "analysis": {"en": {"generated_at": "2026-04-16T11:19:33.293496+00:00", "value": {"mitigation_remediation": ["Restrict or disable direct Markdown preview until a safe configuration can be applied", "Configure markdown\u2011it with html:false or process all rendered HTML through a trusted sanitizer before it is injected via v\u2011html", "Monitor the vendor\u2019s security advisories for a patched release; when available, upgrade Kestra to the fixed version or apply the official patch"], "summary": {"action": "Monitor", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is Kestra \u2011 an event\u2011driven orchestration platform made by kestra\u2011io:kestra. All releases from 1.1.10 down to the earliest available are susceptible. No patched version exists at the time of publication; the advisory itself notes that a public fix has not yet been released.", "description_and_impact": "In Kestra versions 1.1.10 and older, the system renders user\u2011supplied Markdown files with the markdown\u2011it library configured as html:true. The resulting HTML is then injected directly into the page via Vue\u2019s v\u2011html directive without any sanitization. This allows an attacker who can supply a Markdown file to embed arbitrary HTML and JavaScript. When a victim opens the preview of the malicious file, the script runs in their browser, enabling session hijacking, defacement, or further malicious activity consistent with a stored cross\u2011site scripting vulnerability (CWE\u201179).", "risk_and_exploitability": "The CVSS score is 7.3, indicating high severity, while the EPSS score is less than 1%. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely local or requires the attacker to supply a Markdown file that an end\u2011user will preview. Once the file is previewed, the malicious code executes in the context of the victim\u2019s browser. Because the flaw is stored, any user who opens the file\u2014regardless of their authentication level\u2014can be affected. No additional exploitation prerequisites are detailed in the advisory, suggesting that the vulnerability is broadly exploitable within the user base that interacts with Markdown previews."}}}}, "created": "2026-03-09T10:07:18.958500+00:00", "updated": "2026-04-16T11:30:15.899811+00:00", "vendors": ["kestra-io", "kestra-io$PRODUCT$kestra"]}