CVE-2025-62798

Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 .

Published: Oct 29, 2025
Updated: Nov 5, 2025
CVE: CVE-2025-62798
GHSA: GHSA-9f58-4465-23c7
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
code16 / sharp	-	9.11.1

https://github.com/code16/sharp/pull/654
https://github.com/code16/sharp/releases/tag/v9.11.1
https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7
https://github.com/ViktorMares/vue-js-xss-payload-list
https://medium.com/@sid0krypt/vue-js-reflected-xss-fae04c9872d2

Vulnerability Database

CVE-2025-62798

Deep Security Visibility Without the Complexity