VYPR
Unrated severityNVD Advisory· Published Mar 26, 2026· Updated Mar 27, 2026

Kestra Vulnerable to Stored Cross-Site Scripting via Flow YAML Fields

CVE-2026-33664

Description

Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs[].displayName, inputs[].description — through the Markdown.vue component instantiated with html: true. The resulting HTML is injected into the DOM via Vue's v-html without any sanitization. This allows a flow author to embed arbitrary JavaScript that executes in the browser of any user who views or interacts with the flow. This is distinct from GHSA-r36c-83hm-pc8j / CVE-2026-29082, which covers only FilePreview.vue rendering .md files from execution outputs. The present finding affects different components, different data sources, and requires significantly less user interaction (zero-click for input.displayName). As of time of publication, it is unclear if a patch is available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Kestra/Kestrallm-fuzzy2 versions
    <=1.3.3+ 1 more
    • (no CPE)range: <=1.3.3
    • (no CPE)range: <= 1.3.3

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.