Reflected XSS in Mixpost via Unsanitized OAuth Error Parameters

Executive Summary

CVE-2026-57958 is a reflected cross-site scripting (XSS) vulnerability in Mixpost through version 2.6.0. It occurs because the OAuth callback controller fails to properly sanitize error query parameters before rendering them. Attackers can craft malicious OAuth callback URLs containing unsanitized error parameters that get reflected in Laravel flash messages and rendered using the Vue v-html directive.

This flaw allows unauthenticated attackers to inject and execute arbitrary JavaScript code in the browsers of authenticated users who visit the malicious URL.

The vulnerability arises specifically from the OAuth callback controller taking the error parameter verbatim from the request and storing it as a Laravel flash message without validation or escaping, which is then rendered in the user interface.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability can allow attackers to hijack authenticated user sessions by executing malicious JavaScript in the victim's browser.

Attackers may perform unauthorized actions on behalf of the user, such as making changes or accessing sensitive information.

The vulnerability can also facilitate credential phishing attacks or cross-site request forgery (CSRF) attacks if the session cookie lacks proper security flags like HttpOnly.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for suspicious OAuth callback URLs containing crafted error query parameters that include JavaScript payloads. Since the attack involves reflected cross-site scripting via the error parameter in OAuth callbacks, inspecting web server logs or proxy logs for unusual or unexpected error parameter values in OAuth callback requests can help identify potential exploitation attempts.

Commands to detect such attempts might include searching web server access logs for OAuth callback URLs with suspicious error parameters. For example, using grep on Apache or Nginx logs:

• grep -i 'error=' /var/log/nginx/access.log
• grep -i 'error=' /var/log/apache2/access.log

Further, you can look for common XSS payload patterns within the error parameter values, such as <script> tags or JavaScript event handlers.

Additionally, using web application security scanners that detect reflected XSS vulnerabilities by testing the OAuth callback endpoint with crafted payloads can help confirm the presence of this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include preventing the execution of malicious scripts by sanitizing or escaping the error query parameter before rendering it in the OAuth callback controller.

Since the vulnerability arises from unsanitized error parameters being rendered via Laravel flash messages and Vue's v-html directive, you should:

• Implement proper input validation and sanitization on the error parameter to neutralize any embedded scripts.
• Avoid using Vue's v-html directive to render untrusted content or ensure that the content is properly escaped before rendering.
• If possible, apply patches or updates from the vendor or community once available.
• As a temporary workaround, consider disabling or restricting OAuth callback error messages until a fix is applied.

Additionally, ensure session cookies have the HttpOnly flag set to reduce the risk of session hijacking.

Useful 0 Not Useful 0