Description
Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth callback controller's failure to sanitize error parameters before rendering them through Laravel flash messages via the Vue v-html directive to hijack authenticated user sessions or perform unauthorized actions.
Published: 2026-06-29
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mixpost versions through 2.6.0 contain a reflected cross‑site scripting flaw that allows attackers who can craft a malicious OAuth callback URL to inject arbitrary JavaScript. The vulnerability arises because the application renders the OAuth error parameter without sanitization, passing it to a Vue-component that uses the standard v‑html directive and a Laravel flash message, thereby executing the script in the victim’s browser. Successful exploitation can hijack authenticated user sessions or trigger unauthorized actions.

Affected Systems

The affected product is Mixpost from inovector, specifically version 2.6.0 and any earlier releases that do not contain the fix. The issue is tied to the OAuth callback controller and its handling of error query parameters in those releases.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate impact. EPSS data is not available, so the likelihood of exploitation is uncertain but the advisory reports exploitability via crafted URLs that authenticated users will visit. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread proven exploitation yet, yet the potential for session hijacking or unauthorized actions warrants timely remediation.

Generated by OpenCVE AI on June 29, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mixpost to a patched version that sanitizes OAuth error parameters before rendering them.
  • If an update is unavailable, immediately apply input sanitization or escaping to all OAuth callback error parameters and configure Vue templates to avoid rendering user‑controlled content via v-html.
  • Restrict OAuth callback URLs to a whitelist of known hosts or implement stricter validation logic to block malicious script injection attempts.
  • Monitor application logs and user activity for signs of script execution or session hijacking and disable the feature that outputs unsanitized error messages if remediation is delayed.

Generated by OpenCVE AI on June 29, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Inovector
Inovector mixpost
Vendors & Products Inovector
Inovector mixpost

Mon, 29 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth callback controller's failure to sanitize error parameters before rendering them through Laravel flash messages via the Vue v-html directive to hijack authenticated user sessions or perform unauthorized actions.
Title Mixpost 2.6.0 - Reflected XSS via OAuth Callback Error Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Inovector Mixpost
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T18:08:38.548Z

Reserved: 2026-06-26T13:59:33.048Z

Link: CVE-2026-57958

cve-icon Vulnrichment

Updated: 2026-06-29T18:08:13.719Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:03:51Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')