CVE-2026-9520

MEDIUM 4.3

blitz-js blitz Sign-in LoginForm.tsx cross site scripting

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

9th

A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the component Sign-in. This manipulation of the argument Next causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-79 CWE-94
Vendor	blitz-js
Product	blitz
Published	May 26, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for blitz-js blitz

Be the first to know when new medium vulnerabilities affecting blitz-js blitz are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

blitz-js / blitz

3.0.0 3.0.1 3.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/365540 vuldb.com: https://vuldb.com/vuln/365540/cti vuldb.com: https://vuldb.com/submit/814378 gist.github.com: https://gist.github.com/TrebledJ/164c7ca6c8208b63e6937bc11984720b

Credits

🔍 trebledj (VulDB User) VulDB CNA Team