CVE-2026-29082
Received Received - Intake

Cross-Site Scripting in Kestra Markdown Preview Component

Vulnerability report for CVE-2026-29082, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-06

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description

Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html without sanitisation. At time of publication, there are no publicly available patches.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-06
Last Modified
2026-03-10
Generated
2026-07-06
AI Q&A
2026-03-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kestra kestra to 1.1.10 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-29082 is a Stored Cross-Site Scripting (XSS) vulnerability in Kestra versions up to 1.1.10, specifically in the Markdown file preview feature.

Kestra renders user-supplied Markdown (.md) files using the markdown-it library with the option html:true enabled, which allows raw HTML content. This rendered HTML is then injected into the Vue.js frontend using the v-html directive without any sanitization.

Because there is no sanitization, malicious scripts embedded in the Markdown files can execute in the context of the Kestra UI.

For example, an attacker can create a Markdown file containing an image tag with an onerror event handler that executes JavaScript code, such as alert(document.domain), which runs when the file is previewed.

Impact Analysis

The XSS vulnerability allows attackers to execute arbitrary JavaScript in the context of the Kestra UI origin.

  • Attackers can steal JWT authentication cookies and the X-Kestra-CSRF header.
  • This enables full API impersonation of administrators or other tenant users.

The vulnerability is rated High severity with a CVSS v3 score of 7.3, indicating a significant risk.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying if your Kestra installation is running version 1.1.10 or earlier and if the execution-file preview feature renders user-supplied Markdown files with markdown-it instantiated with the option html:true, allowing raw HTML rendering without sanitization.'}, {'type': 'paragraph', 'content': 'To detect exploitation or presence of malicious Markdown files, you can check for Markdown files containing suspicious inline event handlers such as onerror, onload, or ontoggle attributes in your Kestra storage or flows.'}, {'type': 'paragraph', 'content': 'A practical approach is to query the backend API endpoint that returns the raw Markdown content for preview, for example:'}, {'type': 'list_item', 'content': 'curl -X GET "http://<kestra-host>/api/v1/<tenant>/executions/<execId>/file/preview?path=/xss.md" -H "Authorization: Bearer <token>"'}, {'type': 'paragraph', 'content': 'Review the returned Markdown content for any embedded HTML tags with event handlers that could trigger JavaScript execution.'}] [1]

Mitigation Strategies

Since no patches are publicly available at the time of the advisory, immediate mitigation steps include:

  • Avoid previewing or rendering user-supplied Markdown files in the Kestra UI to prevent execution of malicious scripts.
  • Restrict access to the Kestra UI and API endpoints to trusted users only, minimizing the risk of malicious Markdown file uploads.
  • Implement network-level controls such as firewall rules or web application firewalls (WAF) to monitor and block suspicious requests targeting the Markdown preview feature.
  • Review and sanitize any Markdown content before it is uploaded or rendered, if possible, to remove unsafe HTML or event handlers.

Monitor Kestra project updates for any forthcoming patches addressing this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart