CVE-2025-53892

MEDIUM EPSS 47.3%
Published Jul 16, 202511mo ago · Modified Jun 17, 20262w ago
5.3 CVSS 4.0
Medium
Find Similar
Published Jul 16, 2025 11mo ago
Last Modified Jun 17, 2026 2w ago

Description

Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.

CVSS Details

Base Score
5.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
47.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

References 8

  • github.com https://github.com/intlify/vue-i18n/commit/49f982443ab8fd94ecc427b265ce97d57df94d7e
  • github.com https://github.com/intlify/vue-i18n/commit/a47099619fb9b256e86341a8658ebe72e92ab099
  • github.com https://github.com/intlify/vue-i18n/pull/2229
  • github.com https://github.com/intlify/vue-i18n/pull/2230
  • github.com https://github.com/intlify/vue-i18n/releases/tag/v10.0.8
  • github.com https://github.com/intlify/vue-i18n/releases/tag/v11.1.10
  • github.com https://github.com/intlify/vue-i18n/releases/tag/v9.14.5
  • github.com https://github.com/intlify/vue-i18n/security/advisories/GHSA-x8qp-wqqm-57ph

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.