Onlook Web Application DOM-Based Cross-Site Scripting Vulnerability in Text Editor Feature

Vulnerability

A DOM-based Cross-Site Scripting vulnerability has been identified in the text editor feature of the Onlook web application, version 0.2.32. This issue arises because user input is not adequately sanitized before being injected into the DOM using innerHTML, when editing text elements. As a result, an attacker can exploit this vulnerability to inject malicious HTML and script code. The injected scripts are executed within the context of the preview iframe, potentially allowing the execution of arbitrary scripts in the user's session.

Impact

Exploitation of this vulnerability allows for DOM-based Cross-Site Scripting, where injected scripts are executed in the context of the user's session, potentially leading to unauthorized actions or data exposure.

Added: Nov 7, 2025, 5:17 PM

Updated: Nov 7, 2025, 5:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.4

remediation

0.0

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.4

remediation

0.0

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Onlook Web Application DOM-Based Cross-Site Scripting Vulnerability in Text Editor Feature

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating