Primary

Context

Kestra Stored Cross-Site Scripting Vulnerability in Markdown File Preview

Vulnerability

A stored cross-site scripting vulnerability has been identified in Kestra, an event-driven orchestration platform, in versions through 1.1.10. The issue arises because the execution-file preview feature renders user-supplied Markdown files with 'markdown-it' configured to allow HTML. This unfiltered HTML is then injected into the application using Vue's 'v-html' directive, creating an opportunity for malicious scripts to be executed. At the time of publication, no patches are available.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, create a flow in Kestra that writes a malicious Markdown file, 'xss.md', containing a script payload, such as an image tag with an 'onerror' attribute. After executing the flow, the injected script will execute when the Markdown preview is rendered.

Added: Mar 6, 2026, 5:19 PM

Updated: Mar 6, 2026, 5:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

3.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

3.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kestra Stored Cross-Site Scripting Vulnerability in Markdown File Preview

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating