PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58228 phoenixframework CVE debrief

A cross-site scripting vulnerability exists in phoenixframework phoenix_live_view, allowing an attacker to bypass URL scheme validation and execute JavaScript in a victim's browser session. The issue arises from the way the Phoenix.LiveView.Utils.valid_destination!/2 and Phoenix.LiveView.Utils.valid_live_navigation_destination!/2 functions handle URL inputs. Specifically, the internal uri_scheme/1 helper only detects a scheme when the input's first byte is an ASCII letter, causing inputs starting with ASCII control characters or spaces to be treated as safe relative paths. As standard browsers implement the WHATWG URL parser, which strips leading C0 control and space characters before parsing, an attacker can exploit this by providing a specially crafted URL that is then parsed by the browser as a javascript: URL, executing attacker-controlled script in the victim's session. This affects applications that render user-supplied URLs via <.link href={...}>. The issue impacts phoenix_live_view versions from 1.2.2 before 1.2.7.

Vendor
phoenixframework
Product
phoenix_live_view
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Developers and administrators using phoenixframework phoenix_live_view versions from 1.2.2 before 1.2.7 should be aware of this cross-site scripting vulnerability. Applications that render user-supplied URLs via <.link href={...}> are potentially affected. Users of Phoenix.LiveView.Utils.valid_destination!/2 and Phoenix.LiveView.Utils.valid_live_navigation_destination!/2 functions should review their usage to ensure proper validation of URL inputs.

Technical summary

The Phoenix.LiveView.Utils.valid_destination!/2 and Phoenix.LiveView.Utils.valid_live_navigation_destination!/2 functions in lib/phoenix_live_view/utils.ex rely on an internal uri_scheme/1 helper that only detects a scheme when the input's first byte is an ASCII letter. This causes inputs beginning with an ASCII control character or space to fall through to a nil-returning clause, treating the URL as a safe relative path. Standard browsers implement the WHATWG URL parser, which strips leading C0 control and space characters before parsing. Consequently, an input such as ' javascript:alert(1)' is passed unchanged into <.link href={...}> and, when clicked, is parsed by the browser as a javascript: URL that executes attacker-controlled script in the victim's session.

Defensive priority

Medium priority should be given to addressing this vulnerability, as it allows for cross-site scripting attacks. Affected applications should upgrade to phoenix_live_view version 1.2.7 or later. In the meantime, developers should validate and sanitize all user-supplied URL inputs to prevent exploitation.

Recommended defensive actions

  • Upgrade to phoenix_live_view version 1.2.7 or later.
  • Validate and sanitize all user-supplied URL inputs.
  • Implement additional security measures such as Content Security Policy (CSP) to mitigate cross-site scripting attacks.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-13T19:17:30.317Z and was last modified on 2026-07-13T20:37:48.157Z. The NVD entry is currently Deferred. Multiple sources, including the CVE.org record, NVD detail, and various GitHub advisories, provide information about this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T19:17:30.317Z and has not been modified since then. The NVD entry is currently Deferred.