CVE-2019-16145
Description
The breadcrumbs module for Padrino Framework version 0.2.0 and earlier is vulnerable to stored XSS through an unsanitized caption parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The breadcrumbs module for Padrino Framework version 0.2.0 and earlier is vulnerable to stored XSS through an unsanitized caption parameter.
Vulnerability
Description The breadcrumbs contributed module for the Padrino Framework, through version 0.2.0, contains a stored cross-site scripting (XSS) vulnerability. The root cause is the lack of sanitization on the caption parameter used when generating breadcrumb navigation, allowing an attacker to inject arbitrary HTML or JavaScript [1][2].
Exploitation
An attacker can exploit this vulnerability by providing a malicious payload as the caption value for a breadcrumb. This can be achieved through any means that sets the caption, such as via user input in web forms or URL parameters if the application passes untrusted data to the breadcrumb helper. No authentication is required if the vulnerable component accepts data from unauthenticated users; the attack surface depends on how the application uses the breadcrumbs helper [2].
Impact
Successful exploitation enables the attacker to execute arbitrary script code in the context of the victim's browser. This can lead to session hijacking, defacement, credential theft, or other actions typically achievable with XSS. The injected script can be triggered when any user visits a page that renders the malicious breadcrumb [1][2].
Mitigation
The vulnerability is patched in a pull request that sanitizes the caption output. Users should upgrade to a patched version of padrino-contrib (e.g., by applying changes from reference [1]) or, if no official release is available, manually implement output encoding of the caption in their code [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
padrino-contribRubyGems | <= 0.2.0 | — |
Affected products
2- Padrino Framework/breadcrumbs contributed moduledescription
Patches
1662616162265Merge pull request #35 from basex/patch-1
1 file changed · +2 −2
lib/padrino-contrib/helpers/breadcrumbs.rb+2 −2 modified@@ -74,7 +74,7 @@ def initialize def set_home(url, caption, options = {}) self.home = { :url => url.to_s, - :caption => caption.to_s.humanize.html_safe, + :caption => caption.to_s.humanize, :name => :home, :options => options } @@ -133,7 +133,7 @@ def add(name, url, caption, options = {}) items << { :name => name.to_sym, :url => url.to_s, - :caption => caption.to_s.humanize.html_safe, + :caption => caption.to_s.humanize, :options => options } end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-rwpr-83g3-96g7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16145ghsaADVISORY
- github.com/padrino/padrino-contrib/pull/35ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.