PT-2026-57851 · Unknown · Phoenix Live View

Barna Kovacs

+2

·

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-58228

CVSS v4.0

5.1

Medium

VectorAV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions phoenix live view versions 1.2.2 through 1.2.6
Description A cross-site scripting issue exists in phoenix live view due to improper URL scheme validation. The functions valid destination!/2 and valid live navigation destination!/2 use an internal uri scheme/1 helper that fails to detect schemes if the input begins with a space or an ASCII control character. Because standard browsers strip these leading characters before parsing, an attacker can provide a payload like " javascript:alert(1)" that bypasses validation and is treated as a safe relative path. When rendered via <.link href={...}>, the browser executes the script in the victim's session. This affects applications that render user-supplied URLs, such as redirect targets or profile links.
Recommendations Update phoenix live view to version 1.2.7 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58228

Affected Products

Phoenix Live View