Intel

AIKIDO-2026-854586

@inertiajs/core is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

59

Medium Risk

This Affects:

JS@inertiajs/core
1.0.0 - 2.3.21
Fixed in 2.3.22
3.0.0 - 3.0.3
Fixed in 3.1.0
Are you affected? Scan for Free

TL;DR

When Inertia receives a non-Inertia response such as a server error page, it renders the returned HTML inside a modal or dialog iframe by writing it into a same-origin, unsandboxed iframe with document.write. Scripts contained in that response execute in the application origin and can reach window.parent, giving them access to the host page. An attacker who can cause the server to reflect attacker-controlled markup in such an error response can run script with access to the parent application context. The fix renders the content through the iframe srcdoc attribute together with a sandbox attribute so embedded scripts run in an isolated context that cannot access window.parent.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your server can return attacker-influenced HTML in a non-Inertia error response that Inertia renders in its error modal.

Background info

@inertiajs/core is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.0 - 2.3.21 and 3.0.0 - 3.0.3.

How to fix this

Upgrade the @inertiajs/core library to the patch version.