CVE-2026-24474
Unknown Unknown - Not Provided
Code Injection via eval in Dioxus Components' use_animated_open

Publication date: 2026-01-24

Last updated on: 2026-01-24

Assigner: GitHub, Inc.

Description
Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-24
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24474
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dioxuslabs dioxus_components to 41e4242ecb1062d04ae42a5215363c1d9fd4e23a (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24474 is a vulnerability in the Rust package dioxus_components where the function use_animated_open formats a string for JavaScript eval using an id that can be supplied by the user without proper validation. This allows an attacker to inject and execute arbitrary JavaScript code, leading to a JavaScript injection vulnerability. The issue was fixed by changing the code to use asynchronous message passing instead of direct string interpolation for eval, preventing unsafe code execution. [1, 2]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of the application using dioxus_components. This could lead to unauthorized actions, data theft, or manipulation of the user interface. Users who provide or handle IDs insecurely are at risk, as malicious input could be executed, potentially compromising application security and user data. [1]

Detection Guidance

This vulnerability involves unsafe evaluation of user-supplied IDs in the `use_animated_open` function leading to JavaScript injection. Detection can focus on identifying usage of the vulnerable `dioxus_components` package version prior to the patch (commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a). You can scan your codebase or dependencies for this package version. Additionally, monitoring for suspicious JavaScript eval executions or unexpected script injections related to user-supplied IDs in your application logs may help. Specific commands could include searching your code or dependencies for the vulnerable function usage, for example using `grep` or similar tools: `grep -r 'use_animated_open' ./` or checking your package lock files for vulnerable versions. Network detection is limited as this is a code-level vulnerability without a specific network signature. [1, 2]

Mitigation Strategies

The immediate mitigation step is to update the `dioxus_components` package to include the patch introduced in commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, which replaces unsafe string formatting for `eval` with asynchronous message passing to safely handle user-supplied IDs. Applying this update prevents JavaScript injection by properly sanitizing or avoiding direct evaluation of user input. Additionally, review your code to avoid passing user-supplied data directly into `eval` or similar functions without validation. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24474. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart