CVE-2022-25873

Name: CVE-2022-25873
Creator: NVD / NIST
Published: 2022-09-18T15:15:09.66+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.4/10EPSS 0.64%

Last modified Jun 17, 2026

CVE-2022-25873 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.. EPSS estimates a 0.64% chance of exploitation in the next 30 days.

Description

The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.

Metrics

CVSS 3.1

5.4/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS Probability

0.64%

46.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions	Update
Vuetifyjs	Vuetify	>= 2.0.1, < 2.6.10	—
Vuetifyjs	Vuetify	2.0.0	Beta4

References

https://codepen.io/5v3n-08/pen/MWGKEjYExploit, Third Party Advisory
https://github.com/vuetifyjs/vuetify/commit/ade1434927f55a0eccf3d54f900f24c5fa85a176Patch, Third Party Advisory
https://github.com/vuetifyjs/vuetify/issues/15757Issue Tracking, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVUETIFYJS-3024407Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3024406Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-VUETIFY-3019858Third Party Advisory
https://codepen.io/5v3n-08/pen/MWGKEjYExploit, Third Party Advisory
https://github.com/vuetifyjs/vuetify/commit/ade1434927f55a0eccf3d54f900f24c5fa85a176Patch, Third Party Advisory
https://github.com/vuetifyjs/vuetify/issues/15757Issue Tracking, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBVUETIFYJS-3024407Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3024406Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-VUETIFY-3019858Third Party Advisory

Timeline

Published: Sep 18, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-25873?

The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.

How severe is CVE-2022-25873?

CVE-2022-25873 has a CVSS score of 5.4/10 (MEDIUM severity). The EPSS model estimates a 0.64% probability of exploitation in the next 30 days.

How do I fix CVE-2022-25873?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-25873?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST