PT-2026-57851 · Unknown · Phoenix Live View
Barna Kovacs
+2
·
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-58228
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
phoenix live view versions 1.2.2 through 1.2.6
Description
A cross-site scripting issue exists in phoenix live view due to improper URL scheme validation. The functions
valid destination!/2 and valid live navigation destination!/2 use an internal uri scheme/1 helper that fails to detect schemes if the input begins with a space or an ASCII control character. Because standard browsers strip these leading characters before parsing, an attacker can provide a payload like " javascript:alert(1)" that bypasses validation and is treated as a safe relative path. When rendered via <.link href={...}>, the browser executes the script in the victim's session. This affects applications that render user-supplied URLs, such as redirect targets or profile links.Recommendations
Update phoenix live view to version 1.2.7 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Phoenix Live View