@inertiajs/vue3 is vulnerable to Cross-Site Scripting (XSS)
59
Medium Risk
The Head component renders the title prop into a <title> element during server-side rendering without HTML-escaping its value. An application that passes attacker-controlled data as the page title lets an attacker close the title element early and inject markup such as </title><script> into the server-rendered HTML response. Before the fix this allows arbitrary script execution in the victim's browser in the application origin. The fix escapes the title content before it is written into the SSR <title> element.
You are affected if you are using a version that falls within the vulnerable range and you use server-side rendering with Head titles derived from untrusted input.
@inertiajs/vue3 is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.0 - 2.3.21.
Upgrade the @inertiajs/vue3 library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant