CVE-2026-33664 HIGH

CVE-2026-33664: Kestra Vulnerable to Stored Cross-Site Scripting via Flow YAML Fields

Vendor Kestra-Io
Product kestra
Weakness CWE-79 · XSS
Published March 26, 2026
Last update March 27, 2026
View on NVD All CVEs

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 render user-supplied flow YAML metadata fields — description, inputs[].displayName, inputs[].description — through the Markdown.vue component instantiated with html: true. The resulting HTML is injected into the DOM via Vue's v-html without any sanitization. This allows a flow author to embed arbitrary JavaScript that executes in the browser of any user who views or interacts with the flow. This is distinct from GHSA-r36c-83hm-pc8j / CVE-2026-29082, which covers only FilePreview.vue rendering .md files from execution outputs. The present finding affects different components, different data sources, and requires significantly less user interaction (zero-click for input.displayName). As of time of publication, it is unclear if a patch is available.

Key dates

02Disclosure timeline

March 26, 2026 CVE published
March 27, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-40664 WordPress Donations Made Easy – Smart Donations Plugin <= 4.0.12 is vulnerable to Cross Site Scripting (XSS) CVE-2023-28083 Potential Cross-Site scripting vulnerability in HPE Integrated Lights-Out 6 (iLO 6), Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 4 (iLO 4). CVE-2023-22715 WordPress WP-CommentNavi Plugin <= 1.12.1 is vulnerable to Cross Site Scripting (XSS) CVE-2024-26125 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2024-12261 SmartEmailing.cz <= 2.2.0 - Reflected Cross-Site Scripting