VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 26, 2026

CVE-2026-9520

CVE-2026-9520

Description

A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the component Sign-in. This manipulation of the argument Next causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

DOM XSS vulnerability in Blitz.js sign-in via the `next` URL parameter allows remote attackers to execute arbitrary JavaScript.

Vulnerability

A DOM Cross-Site Scripting (XSS) vulnerability exists in Blitz.js versions up to 3.0.2, specifically in the sign-in component. The flaw resides in the handling of the next URL parameter within the LoginForm.tsx file in the App Router template (and similar files in Pages Router). The application improperly trusts the next parameter and passes it directly to router.push, which can execute javascript: URIs, leading to XSS. Affected files include packages/generator/templates/app/src/app/auth/components/LoginForm.tsx and analogous files in Pages Router (apps/toolkit-app/src/pages/login.tsx, etc.). [1]

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link containing a javascript: URI in the next parameter (e.g., ?next=javascript:alert(1)). No authentication is required. The attacker tricks a user into clicking the link; upon clicking, the browser executes the attacker-supplied JavaScript in the context of the Blitz.js application. The exploit is publicly available, making the attack easily reproducible. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to credential theft, session hijacking, or unauthorized actions performed on behalf of the victim. The impact is considered high, as it compromises the confidentiality and integrity of user sessions. [1]

Mitigation

As of the publication date, the vendor was contacted but did not respond, and no official patch has been released for this vulnerability. Users are advised to implement client-side validation of the next parameter, blocking javascript: URIs, or to avoid clicking untrusted links. No workaround is provided in the available references. [1]

References
  1. cvd_blitzjs_20260308.md

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Blitz Js/Blitzinferred2 versions
    <=3.0.2+ 1 more
    • (no CPE)range: <=3.0.2
    • (no CPE)range: <=3.0.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application trusts the `next` URL parameter without validation, allowing an attacker to inject a `javascript:` URI that the router passes to `window.location`, resulting in DOM-based XSS."

Attack vector

An attacker crafts a malicious link such as `http://test.local:3000/login?next=javascript:alert(1)` and tricks a victim into clicking it [ref_id=1]. After the victim logs in, the sign-in component reads the `next` parameter from the URL via `router.query.next` (Pages Router) or `useSearchParams()?.get("next")` (App Router) and passes it directly to `router.push()` [ref_id=1]. Because `router.push` ultimately assigns the value to `window.location`, a `javascript:` URI executes arbitrary script in the victim's browser session [ref_id=1]. The attack requires no authentication and only user interaction (clicking the link) [ref_id=1].

Affected code

The vulnerable code is in `packages/generator/templates/app/src/app/auth/components/LoginForm.tsx` (App Router) and `packages/generator/templates/pages/src/pages/auth/login.tsx` (Pages Router) [ref_id=1]. In the App Router variant, the `next` value is obtained via `useSearchParams()?.get("next")` and passed directly to `router.push(next as Route)` [ref_id=1]. In the Pages Router variant, `router.query.next` is decoded with `decodeURIComponent` and then passed to `router.push(next)` [ref_id=1].

What the fix does

No patch has been published by the vendor; the advisory recommends that applications validate the `next` parameter before using it for redirection [ref_id=1]. The suggested fix uses the `URL` constructor to parse the redirect path relative to the current origin, then checks that both the origin matches and the protocol is `http:` or `https:` [ref_id=1]. This blocks `javascript:`, `data:`, `vbscript:`, cross-origin redirects, and open-redirect patterns like `//attacker.site` [ref_id=1]. If validation fails, the code should fall back to a safe default path such as `"/"` [ref_id=1].

Preconditions

  • inputVictim must click a crafted link containing a `next` parameter with a `javascript:` URI
  • authVictim must be logged in (or log in after clicking) so the redirect code executes
  • authNo authentication required for the attacker
  • networkAttack is performed remotely over the network

Reproduction

1. Create a Blitz app using either the Pages Router or App Router template (`blitz new app`). 2. Start the development server (e.g., `blitz dev`). 3. Craft a malicious URL: - Pages Router: `http://test.local:3000/auth/login?next=javascript:alert(1)` - App Router: `http://test.local:3000/login?next=javascript:alert(1)` 4. Send the link to a victim. 5. When the victim clicks the link and logs in, the `router.push` call executes the `javascript:` URI, triggering the XSS payload [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.