CVE-2025-1461— Vuetify XSS through 'eventMoreText' prop of VCalendar
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-1461
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vuetify XSS through 'eventMoreText' prop of VCalendar
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper neutralization of the value of the 'eventMoreText' property of the 'VCalendar' component in Vuetify allows unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss attack. The vulnerability occurs because the default Vuetify translator will return the translation key as the translation, if it can't find an actual translation. This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0. Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
vuetify 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
vuetify是德国vuetify开源的一个 Vue 的材质组件框架。 vuetify 3.0.0之前版本存在安全漏洞,该漏洞源于VCalendar组件eventMoreText属性未正确清理,可能导致跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-1461
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | None | https://github.com/neverendingsupport/nes-vuetify-cve-2025-1461 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-1461
请登录查看更多情报信息。
Other References for CVE-2025-1461 (1)
- https://www.herodevs.com/vulnerability-directory/cve-2025-1461third-party-advisory
Same Patch Batch · N/A · 2025-05-28 · 10 CVEs total
| CVE-2025-45997 | SourceCodester Web-based Pharmacy Product Management System 安全漏洞 | |
| CVE-2025-45343 | Tenda W18E 安全漏洞 | |
| CVE-2025-48746 | Netwrix Directory Manager 安全漏洞 | |
| CVE-2025-48747 | Netwrix Directory Manager 安全漏洞 | |
| CVE-2025-47748 | Netwrix Directory Manager 安全漏洞 | |
| CVE-2025-48749 | Netwrix Directory Manager 安全漏洞 | |
| CVE-2024-57336 | M2Soft CROWNIX Report & ERS 安全漏洞 | |
| CVE-2024-57338 | M2Soft CROWNIX Report & ERS 安全漏洞 | |
| CVE-2024-57337 | M2Soft CROWNIX Report & ERS 安全漏洞 |
IV. Related Vulnerabilities
Same vendor: N/A
- CVE-2026-9376
JPress UCenter Article Submission Endpoint doWriteSave impro - CVE-2026-9373
JeecgBoot OpenAPI Endpoint call improper authentication - CVE-2026-9365
Ettercap GG Dissector ec_gg.c FUNC_DECODER heap-based overfl - CVE-2026-9358
postcss AST Serialization container.js toString recursion - CVE-2026-9357
vBulletin Login cross site scripting
Same weakness: CWE-79
- CVE-2026-9377
SourceCodester SUP Online Shopping productedit.php cross sit - CVE-2026-9357
vBulletin Login cross site scripting - CVE-2018-25349
userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For He - CVE-2026-41147
NukeViet CMS: Stored Cross-Site Scripting (XSS) via insuffic - CVE-2026-40607
MantisBT is Vulnerable to Stored XSS Through its Saved-Filte
V. Comments for CVE-2025-1461
No comments yet