CVE-2026-30117

Vulnerability

In scalar/astro v0.1.3, the Scalar Proxy endpoint accepts an attacker-controlled URL via the scalar_url query parameter, downloads the referenced SVG file server-side, and returns it to the client without sanitization or script blocking. Because SVG supports embedded JavaScript, this enables arbitrary code execution in the context of proxy.scalar.com. The affected endpoint is https://proxy.scalar.com/?scalar_url=. This issue is assigned CWE-79 (Cross-Site Scripting) and CWE-601 (Open Redirect) [1].

Exploitation

An attacker hosts a malicious SVG file (e.g., poc-xss.svg) containing embedded JavaScript on a server they control. The attacker then crafts a URL pointing to that file via the scalar_url parameter. When a victim visits this crafted URL, the proxy fetches the SVG and serves it to the victim's browser, which executes the embedded script in the security context of proxy.scalar.com. No authentication or user interaction beyond visiting the link is required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser under the proxy.scalar.com origin. This can be used to steal cookies scoped to .scalar.com, redirect the victim to a phishing page, or perform unauthorized actions in the victim's session. The CVSS v3 score is 9.8 (Critical), indicating Remote Code Execution (RCE) risk due to the arbitrary file upload vector [1].

Mitigation

As of the publication date (2026-05-19), no official patch has been released by scalar.com. The package scalar/astro v0.1.3 is affected; users should restrict access to the Scalar Proxy endpoint, implement input validation for the scalar_url parameter, and ensure the endpoint does not serve user-controlled content without proper Content-Type and Content-Security-Policy headers. Monitor the vendor for a fixed version [1].