Unrated severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026

Kestra: Stored Cross-Site Scripting in Markdown File Preview

CVE-2026-29082

Description

Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html without sanitisation. At time of publication, there are no publicly available patches.

Affected products

Kestra/Kestrav5
Range: <= 1.1.10

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/kestra-io/kestra/releases/tag/v1.0.30mitrex_refsource_MISC
github.com/kestra-io/kestra/security/advisories/GHSA-r36c-83hm-pc8jmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000