CVE-2025-62798
MEDIUMcode16/sharp < 9.11.1 - Cross-Site Scripting in SharpShowTextField Component
Title source: llmDescription
Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 .
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7
Issue Tracking x_refsource_misc
https://github.com/code16/sharp/pull/654
Release Notes x_refsource_misc
https://github.com/code16/sharp/releases/tag/v9.11.1
Scores
CVSS v3
5.4
EPSS
0.0020
EPSS Percentile
9.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
code16/sharp
0 - 9.11.1Packagist
code16/sharp
< 9.11.1
Published
Oct 28, 2025
Tracked Since
Feb 18, 2026