CVE-2025-57665

Name of the Vulnerable Software and Affected Versions: Element Plus versions through 2.10.6

Description: The Element Plus Link component (el-link) does not sufficiently validate input for the href attribute, creating a security gap. This allows attackers to inject malicious URLs using dangerous protocols (such as javascript:, data:, and file:) or redirect users to malicious sites. This enables cross-site scripting (XSS) attacks, phishing campaigns, and open redirect exploits in applications using the component with user-controlled or untrusted URL inputs.

Recommendations: Element Plus versions prior to 2.10.6 are affected. Ensure proper validation and sanitization of the href attribute before using it in the Link component. Implement security headers to mitigate potential risks associated with user-controlled URLs.