In Kestra versions 1.1.10 and older, the system renders user‑supplied Markdown files with the markdown‑it library configured as html:true. The resulting HTML is then injected directly into the page via Vue’s v‑html directive without any sanitization. This allows an attacker who can supply a Markdown file to embed arbitrary HTML and JavaScript. When a victim opens the preview of the malicious file, the script runs in their browser, enabling session hijacking, defacement, or further malicious activity consistent with a stored cross‑site scripting vulnerability (CWE‑79).

The affected product is Kestra ‑ an event‑driven orchestration platform made by kestra‑io:kestra. All releases from 1.1.10 down to the earliest available are susceptible. No patched version exists at the time of publication; the advisory itself notes that a public fix has not yet been released.

The CVSS score is 7.3, indicating high severity, while the EPSS score is less than 1%. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely local or requires the attacker to supply a Markdown file that an end‑user will preview. Once the file is previewed, the malicious code executes in the context of the victim’s browser. Because the flaw is stored, any user who opens the file—regardless of their authentication level—can be affected. No additional exploitation prerequisites are detailed in the advisory, suggesting that the vulnerability is broadly exploitable within the user base that interacts with Markdown previews.