CVE-2026-5254

Vulnerability

Description A stored cross-site scripting (XSS) vulnerability exists in welovemedia FFmate up to version 2.0.15. The issue resides in the /ui/app/components/AppJsonTreeView.vue file, part of the Webhook Handler component. The root cause is the use of the v-html directive to render webhook response data without proper sanitization or validation [1]. The code directly interpolates user-controlled content into the DOM using v-html="highlight(...)" for string values, allowing HTML/JavaScript injection [1].

Exploitation

Prerequisites An attacker can exploit this vulnerability remotely with no authentication required. The attack vector involves configuring a webhook endpoint that returns a malicious JavaScript payload. When a user views the webhook execution results in the FFmate interface, the unsanitized response is rendered via v-html, executing the injected script in the victim's browser [1]. No special privileges are needed beyond the ability to create or manipulate webhook configurations.

Impact

Successful exploitation enables arbitrary JavaScript execution in the context of the victim's session. This can lead to session hijacking, credential theft, or performing actions on behalf of the authenticated user [1]. The vulnerability is stored, meaning the payload persists and triggers for any user who accesses the affected view.

Mitigation

Status The vendor was contacted but did not respond [1]. As of the advisory, no official patch has been released. Mitigations include implementing HTML sanitization (e.g., DOMPurify), avoiding v-html in favor of safe Vue.js rendering, applying Content Security Policy headers, and validating input against a whitelist of allowed HTML tags and attributes [1].