Description
A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the component Sign-in. This manipulation of the argument Next causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-26
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness in Blitz’s Sign‑In component—specifically in the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx—allows an attacker to inject arbitrary JavaScript via the Next parameter. The injected payload is rendered without proper escaping, leading to a cross‑site scripting condition. This flaw can be exploited remotely by supplying a crafted Next value in an HTTP request to the login page.

Affected Systems

The vulnerability affects versions of blitz‑js Blitz up to and including 3.0.2. No enhancement is available for later releases. The issue resides in the LoginForm.tsx component of the Blitz authentication flow.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS information is not available, and the flaw is not listed in CISA KEV. Attackers can reach the vulnerable code remotely, and public exploit code has been released, raising the likelihood of real‑world attacks. The primary risk is the potential execution of malicious script in the context of the user’s browser, which could lead to data disclosure or manipulation if the attacker succeeds.

Generated by OpenCVE AI on May 26, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Blitz to a version newer than 3.0.2, where the Next parameter handling has been corrected.
  • At the very least, validate or whitelist the Next parameter on the server side before rendering it back to the client.
  • Implement a Content Security Policy that disallows inline script execution and limits script sources to trusted domains.

Generated by OpenCVE AI on May 26, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the component Sign-in. This manipulation of the argument Next causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title blitz-js blitz Sign-in LoginForm.tsx cross site scripting
First Time appeared Blitz-js
Blitz-js blitz
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:blitz-js:blitz:*:*:*:*:*:*:*:*
Vendors & Products Blitz-js
Blitz-js blitz
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Blitz-js Blitz
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T01:30:09.761Z

Reserved: 2026-05-25T19:12:43.499Z

Link: CVE-2026-9520

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T04:00:13Z

Weaknesses