Impact
Deck9 Input v2.0.1 contains a cross‑site scripting flaw that permits an attacker to inject arbitrary HTML or JavaScript into the interface. The CVE description states that a crafted payload can cause the browser to execute code provided by the attacker. The primary weakness is improper input sanitization (CWE‑79). If a victim loads the page, the injected code will run with the same privileges as the page – this is inferred because the description implies client‑side execution but does not explicitly state the exact user interaction.
Affected Systems
Deck9 Input version 2.0.1 is affected. No other product or version is listed as impacted in the current dataset. Users deploying v2.0.1 of the Deck9 Input web component are at risk.
Risk and Exploitability
The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests exploit attempts are rare. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that an attacker would need to supply a crafted payload to an input field exposed by the application, which could be reachable to authenticated or unauthenticated users depending on the UI. The presumed impact is limited to client browsers and does not allow direct server compromise.
OpenCVE Enrichment