CVE-2026-57958
MediumCVSS 6.1Summary
Mixpost through version 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters.
Risk Assessment
Attackers can exploit this vulnerability to hijack authenticated user sessions or perform unauthorized actions on their behalf, potentially leading to data theft or privilege escalation.
Recommendation
Immediately update Mixpost to a version newer than 2.6.0 that includes a fix for this vulnerability, and implement input validation and sanitization for all parameters in OAuth controllers.
Original NVD description (English source)
Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth callback controller's failure to sanitize error parameters before rendering them through Laravel flash messages via the Vue v-html directive to hijack authenticated user sessions or perform unauthorized actions.

