VYPR
← All advisories
Low severity3.5NVD Advisory· Published Mar 16, 2026· Updated Apr 22, 2026

CVE-2026-4175

CVE-2026-4175

Description

A vulnerability was determined in Aureus ERP up to 1.3.0-BETA2. The affected element is an unknown function of the file plugins/webkul/chatter/resources/views/filament/infolists/components/messages/content-text-entry.blade.php of the component Chatter Message Handler. Executing a manipulation of the argument subject/body can lead to cross site scripting. The attack can be launched remotely. Upgrading to version 1.3.0-BETA1 is sufficient to fix this issue. This patch is called 2135ee7efff4090e70050b63015ab5e268760ec8. It is suggested to upgrade the affected component.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aureuserp/aureuserpPackagist
< 1.3.0-BETA11.3.0-BETA1

Affected products

1

Patches

1
2135ee7efff4

Merge pull request #939 from suraj-webkul/xss-issues-into-chatter

https://github.com/aureuserp/aureuserpJitendra SinghJan 12, 2026via ghsa
commit
9 files changed · +11 11
  • plugins/webkul/accounts/resources/views/mail/invoice/actions/invoice.blade.php+1 1 modified
    @@ -4,7 +4,7 @@
     </div>
 
     <div class="notification">
-        {!! $payload['description'] !!}
+        {!! str($payload['description'])->sanitizeHtml() !!}
     </div>
 
     @isset($payload['from']['company'])
  • plugins/webkul/blogs/resources/views/filament/customer/resources/post/pages/view-record.blade.php+1 1 modified
    @@ -32,7 +32,7 @@
     @endif
 
     <p>
-        {!! $record->content !!}
+        {!! str($record->content)->sanitizeHtml() !!}
     </p>
 
     @if ($record->tags->count())
  • plugins/webkul/chatter/resources/views/filament/infolists/components/activities/content-text-entry.blade.php+1 1 modified
    @@ -6,7 +6,7 @@
 <div {{ $attributes->merge($getExtraAttributes())->class('flex flex-col gap-2') }}>
     @if ($record->body)
         <div class="text-sm leading-6 text-gray-700 dark:text-white overflow-x-hidden max-w-full break-words [&_a]:text-primary-600 dark:[&_a]:text-primary-400 [&_a:hover]:underline [&_ul]:list-disc [&_ul]:ms-5 [&_ol]:list-decimal [&_ol]:ms-5">
-            {!! $record->body !!}
+            {!! str($record->body)->sanitizeHtml() !!}
         </div>
     @endif
  • plugins/webkul/chatter/resources/views/filament/infolists/components/messages/content-text-entry.blade.php+3 3 modified
    @@ -17,15 +17,15 @@
                         </span>
 
                         <div class="mt-1 text-sm font-semibold text-gray-900 dark:text-gray-100">
-                            {!! $record->subject !!}
+                            {!! str($record->subject)->sanitizeHtml() !!}
                         </div>
                     </div>
                 @endif
 
                 {{-- Body --}}
                 @if ($record->body)
                     <div class="text-sm leading-6 text-gray-700 dark:text-white overflow-x-hidden max-w-full break-words [&_a]:text-primary-600 dark:[&_a]:text-primary-400 [&_a:hover]:underline [&_ul]:list-disc [&_ul]:ms-5 [&_ol]:list-decimal [&_ol]:ms-5">
-                        {!! $record->body !!}
+                        {!! str($record->body)->sanitizeHtml() !!}
                     </div>
                 @endif
 
@@ -122,7 +122,7 @@ class="w-10 h-10 text-gray-500 dark:text-gray-400"
         @case('notification')
             @if ($record->body)
                 <div class="font-inter text-base text-gray-900 dark:text-gray-100 max-w-full">
-                    {!! $record->body !!}
+                    {!! str($record->body)->sanitizeHtml() !!}
                 </div>
             @endif
  • plugins/webkul/chatter/resources/views/mail/follower-mail.blade.php+1 1 modified
    @@ -18,7 +18,7 @@ class="view-button"
         ]) }}
 
         @isset($payload['note'])
-            <p>{!! $payload['note'] !!}</p>
+            <p>{!! str($payload['note'])->sanitizeHtml() !!}</p>
         @endisset
     </div>
  • plugins/webkul/chatter/resources/views/mail/message-mail.blade.php+1 1 modified
    @@ -12,7 +12,7 @@ class="view-button"
 
     <div class="notification">
         @isset($payload['content'])
-            <p>{!! $payload['content'] !!}</p>
+            <p>{!! str($payload['content'])->sanitizeHtml() !!}</p>
         @endisset
 
         <p>{{ $payload['from']['name'] }}</p>
  • plugins/webkul/sales/resources/views/mails/sale-order-cancel-quotation.blade.php+1 1 modified
    @@ -1,6 +1,6 @@
 <x-support::emails.layout>
     <div class="notification">
-        {!! $payload['description'] !!}
+        {!! str($payload['description'])->sanitizeHtml() !!}
     </div>
 
     @isset($payload['from']['company'])
  • plugins/webkul/sales/resources/views/mails/sale-order-quotation.blade.php+1 1 modified
    @@ -4,7 +4,7 @@
     </div>
 
     <div class="notification">
-        {!! $payload['description'] !!}
+        {!! str($payload['description'])->sanitizeHtml() !!}
     </div>
 
     @isset($payload['from']['company'])
  • plugins/webkul/website/resources/views/filament/customer/resources/page/pages/view-record.blade.php+1 1 modified
    @@ -18,6 +18,6 @@
     @endPush
 
     <p>
-        {!! $record->content !!}
+        {!! str($record->content)->sanitizeHtml() !!}
     </p>
 </x-filament-panels::page>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.