Home

Description

Cross-site scripting vulnerability in phoenixframework phoenix_live_view allows an attacker to bypass URL scheme validation and execute JavaScript in a victim's browser session. The Phoenix.LiveView.Utils.valid_destination!/2 and Phoenix.LiveView.Utils.valid_live_navigation_destination!/2 functions in lib/phoenix_live_view/utils.ex rely on an internal uri_scheme/1 helper that only detects a scheme when the input's first byte is an ASCII letter. Inputs beginning with an ASCII control character or space fall through to a nil-returning clause, causing the URL to be treated as a safe relative path. Standard browsers implement the WHATWG URL parser, which strips leading C0 control and space characters before parsing. As a result, an input such as " javascript:alert(1)" is passed unchanged into <.link href={...}> and, when clicked, is parsed by the browser as a javascript: URL that executes attacker-controlled script in the victim's session. Applications that render user-supplied URLs (for example profile links, redirect targets, or external references) via <.link href={...}> are affected. This issue affects phoenix_live_view: from 1.2.2 before 1.2.7.

PUBLISHED Reserved 2026-06-29 | Published 2026-07-13 | Updated 2026-07-14 | Assigner EEF




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

1.2.2 (semver) before 1.2.7
affected

Default status
unaffected

4b63216ae68886db99cf7772af23372d76c40e7e (git) before 86165533e311469a1b62093fd182d9d874de8106
affected

Credits

Barna Kovacs finder

Steffen Deusch remediation developer

José Valim analyst

Jonatan Männchen / EEF analyst

References

github.com/...e_view/security/advisories/GHSA-5cgh-g58j-m9cq exploit

github.com/...e_view/security/advisories/GHSA-5cgh-g58j-m9cq vendor-advisory related

cna.erlef.org/cves/CVE-2026-58228.html related

osv.dev/vulnerability/EEF-CVE-2026-58228 related

github.com/...ommit/86165533e311469a1b62093fd182d9d874de8106 patch

cve.org (CVE-2026-58228)

nvd.nist.gov (CVE-2026-58228)

Download JSON