LOW
blitz-js
CVE published 2026-05-26
CVE-2026-9520
A cross-site scripting (XSS) vulnerability exists in blitz-js blitz versions up to 3.0.2, specifically within the LoginForm.tsx component's handling of the 'Next' argument during sign-in operations. The vulnerability allows remote attackers to inject malicious scripts through manipulation of this parameter. The issue was disclosed to the vendor without response prior to public disclosure. The vulnerabilit [truncated]