CVE-2025-1461

Name of the Vulnerable Software and Affected Versions Vuetify versions 2.0.0 through 2.x

Description The issue arises from the improper neutralization of the eventMoreText property value in the VCalendar component, allowing unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting (XSS) attack. The vulnerability occurs because the default Vuetify translator returns the translation key as the translation if it cannot find an actual translation.

Recommendations For versions 2.0.0 through 2.x, as these versions are End-of-Life and will not receive updates, consider migrating to a supported version of Vuetify to address this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.