Low severity3.5GHSA Advisory· Published May 24, 2024· Updated Apr 15, 2026

CVE-2023-1001

Description

A vulnerability, which was classified as problematic, has been found in xuliangzhan vxe-table up to 3.7.9. This issue affects the function export of the file packages/textarea/src/textarea.js of the component vxe-textarea. The manipulation of the argument inputValue leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 3.7.10 is able to address this issue. The patch is named d70b0e089740b65a22c89c106ebc4627ac48a22d. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-266123.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in vxe-table up to 3.7.9 allows remote attackers to inject arbitrary JavaScript via the inputValue parameter of the vxe-textarea component.

A problematic vulnerability (CVE-2023-1001) has been found in xuliangzhan vxe-table, up to version 3.7.9. The issue resides in the textarea.js file of the vxe-textarea component, where the export function improperly handles the inputValue argument. Manipulation of this argument leads to cross-site scripting (XSS) [1][2]. The root cause is that the component uses innerHTML to set the content of an auto-sizing textarea element, which allows HTML and script injection [4].

Attackers can initiate the attack remotely. The vulnerability is classified as low severity with a CVSS v3 score of 3.5. There is no strong authentication requirement mentioned, meaning any user who can supply input to a vxe-textarea component on a vulnerable page could potentially exploit it. The attack vector is over the network, but it may require some user interaction or a crafted input that is later rendered by the component [1][2].

Successful exploitation would allow an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This could lead to data theft, session hijacking, or other client-side attacks. The vulnerability is not known to be exploited in the wild, nor is it listed in the KEV catalog [2].

Mitigation is straightforward: upgrading to vxe-table version 3.7.10 resolves the issue. The official patch commit (d70b0e089740b65a22c89c106ebc4627ac48a22d) changes the code from using innerHTML to innerText, which safely escapes HTML and prevents script injection [3][4]. No workarounds have been published, so upgrading the affected component is strongly recommended [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
vxe-tablenpm	< 3.7.10	3.7.10

Affected products

X Extends/Vxe TableGHSA2 versions
< 3.7.10+ 1 more
- (no CPE)range: < 3.7.10
- (no CPE)range: <=3.7.9
ghsa-coords
pkg:npm/vxe-table
Range: < 3.7.10

Patches

d70b0e089740

textarea 修复注入xss问题 #I8O21R

https://github.com/x-extends/vxe-tablexuliangzhanDec 13, 2023via ghsa

commit

2 files changed · +5 −3

packages/table/src/body.js+4 −2 modified

@@ -499,8 +499,10 @@ export default {
     elemStore[`${prefix}xSpace`] = $refs.xSpace
     elemStore[`${prefix}ySpace`] = $refs.ySpace
     elemStore[`${prefix}emptyBlock`] = $refs.emptyBlock
-    this.$el.onscroll = this.scrollEvent
-    this.$el._onscroll = this.scrollEvent
+    if (this.$el) {
+      this.$el.onscroll = this.scrollEvent
+      this.$el._onscroll = this.scrollEvent
+    }
   },
   beforeDestroy () {
     clearTimeout(this.wheelTime)

packages/textarea/src/textarea.js+1 −1 modified

@@ -188,7 +188,7 @@ export default {
         autoTxtElem.className = ['vxe-textarea--autosize', size ? `size--${size}` : ''].join(' ')
         autoTxtElem.style.width = `${textElem.clientWidth}px`
         autoTxtElem.style.padding = textStyle.padding
-        autoTxtElem.innerHTML = ('' + (inputValue || '　')).replace(/\n$/, '\n　')
+        autoTxtElem.innerText = ('' + (inputValue || '　')).replace(/\n$/, '\n　')
       }
     },
     handleResize () {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2qjp-fg8c-g878ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-1001ghsaADVISORY
gitee.com/xuliangzhan_admin/vxe-table/commit/d70b0e089740b65a22c89c106ebc4627ac48a22dnvdWEB
gitee.com/xuliangzhan_admin/vxe-table/issues/I8O21RnvdWEB
gitee.com/xuliangzhan_admin/vxe-table/tree/3.7.10nvdWEB
github.com/x-extends/vxe-table/commit/d70b0e089740b65a22c89c106ebc4627ac48a22dghsaWEB
vuldb.comnvdWEB
vuldb.comnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000