CVE-2025-8082

Name of the Vulnerable Software and Affected Versions Vuetify versions 2.0.0 through 2.9.9

Description A flaw exists in the 'VDatePicker' component of Vuetify that allows unsanitized HTML to be inserted into a webpage. This is due to the improper handling of the 'title-date-format' property, which can accept a user-defined function and assign its output to the 'innerHTML' property of the title element without proper sanitization. This can lead to a Cross-Site Scripting (XSS) attack. The title-date-format property is vulnerable. Version 2.x of Vuetify is End-of-Life and will not receive updates to address this issue.

Recommendations Versions 2.0.0 through 2.9.9 are affected and will not receive updates. At the moment, there is no information about a newer version that contains a fix for this vulnerability.