A flaw in the Dioxus Components library causes the use_animated_open helper to build a string that is later run through JavaScript's eval function, using an identifier that can be controlled by the end user. If an attacker supplies a specially crafted ID, arbitrary JavaScript code will execute in the context of the browser window that renders the component. This introduces the potential for cross‑site scripting, theft of credentials stored in the client, or modification of the page’s content, resulting in a loss of confidentiality and integrity for users of applications that embed this component.

The vulnerability exists in all releases of DioxusLabs:components before commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a. Any application that imports the components library and uses the use_animated_open helper with user‑supplied ID values is affected. Updating to the patched commit or any subsequent release eliminates the flaw.

The CVSS score of 5.3 indicates moderate risk, and the EPSS score of less than 1% suggests that exploit attempts are currently unlikely. The vulnerability is not listed in CISA’s KEV catalog, and there are no public exploit references. The attack requires elevation of a user‑supplied ID value to the component rendering code, which means a malicious actor could craft an input that triggers eval when the component is rendered. Because the flaw uses eval on controlled data, it is considered a code injection risk (CWE‑94, CWE‑95).