CVE-2025-1461

MEDIUM

Vuetify >=2.0.0 < - XSS

Title source: llm

Description

Improper neutralization of the value of the 'eventMoreText' property of the 'VCalendar' component in Vuetify allows unsanitized HTML to be inserted into the page. This can lead to a  Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss  attack. The vulnerability occurs because the default Vuetify translator will return the translation key as the translation, if it can't find an actual translation. This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0. Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .

Exploits (1)

nomisec WORKING POC
by neverendingsupport · poc
https://github.com/neverendingsupport/nes-vuetify-cve-2025-1461

References (2)

Scores

CVSS v3 5.6
EPSS 0.0025
EPSS Percentile 48.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE
CWE-79
Status published
Products (1)
N/A/Vuetify >=2.0.0 <3.0.0
Published May 28, 2025
Tracked Since Feb 18, 2026