CVE-2025-62798: Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax

Published Oct 28, 2025
·
Updated

A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in `{{` & `}}` were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. For example, if a field’s value contains `{{ Math.random() }}`, it will be executed instead of being displayed as text. ### Impact Attackers who can control content rendered through SharpShowTextField could execute arbitrary JavaScript in the context of an authenticated user’s browser. This could lead to: - Theft of user session tokens. - Unauthorized actions performed on behalf of users. - Injection of malicious content into the admin panel. ### Patches The issue has been fixed in v9.11.1 of code16/sharp package. ### Mitigation / Workarounds Sanitize or encode any user-provided data that may include (`{{` & `}}`) before displaying it in a SharpShowTextField.

Affected Software

2 affected componentsFixes available
SHARP Sharp<9.11.1
composer/code16/sharp<9.11.1
9.11.1

Event History

Oct 28, 2025
CVE Published
via MITRE·08:58 PM
Data Sourced
via MITRE·08:58 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·09:15 PM
DescriptionSeverityWeakness
Oct 29, 2025
Advisory Published
via GitHub·10:52 AM
Data Sourced
via GitHub·10:52 AM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-62798?

CVE-2025-62798 is classified as a medium severity Cross-Site Scripting (XSS) vulnerability.

2

How do I fix CVE-2025-62798?

To fix CVE-2025-62798, upgrade to Sharp version 9.11.1 or later.

3

What components are affected by CVE-2025-62798?

CVE-2025-62798 affects the SharpShowTextField component in versions prior to 9.11.1.

4

What is a Cross-Site Scripting (XSS) vulnerability in the context of CVE-2025-62798?

In the context of CVE-2025-62798, a Cross-Site Scripting vulnerability allows an attacker to inject malicious scripts into web pages viewed by users.

5

Is there a patch available for CVE-2025-62798?

Yes, a patch is available by upgrading to Sharp version 9.11.1.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203