PT-2025-29827 · Vue-I18N+1 · Vue-I18N+1
Highkazupon
·
Published
2025-07-16
·
Updated
2026-05-19
·
CVE-2025-53892
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Vue I18n versions 9.0.0 through 9.14.4
Vue I18n versions 10.0.0 through 10.0.7
Vue I18n versions 11.0.0 through 11.0.9
Description
Vue I18n, an internationalization plugin for Vue.js, contains a flaw in the
escapeParameterHtml: true option. This option is intended to prevent HTML/script injection, but fails to prevent the execution of tag-based payloads (such as <img src=x onerror=...>) when used with v-html in an HTML context. This can lead to a DOM-based Cross-Site Scripting (XSS) issue.Recommendations
Update to Vue I18n version 9.14.5 or later.
Update to Vue I18n version 10.0.8 or later.
Update to Vue I18n version 11.1.0 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vue-I18N
Vue.Js