Bug 2421814 (CVE-2025-8082)

Summary: CVE-2025-8082 Vuetify: Vuetify: Cross-Site Scripting (XSS) vulnerability in VDatePicker component
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Vuetify's VDatePicker component. This vulnerability allows unsanitized HTML to be inserted into the page, leading to a Cross-Site Scripting (XSS) attack via the 'title-date-format' property accepting a user-created function and assigning its output to the 'innerHTML' property without sanitization.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2423082, 2423085, 2423087, 2423089, 2423081, 2423084, 2423086, 2423088    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-12 19:01:39 UTC 
Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to a  Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss  attack. The vulnerability occurs because the 'title-date-format' property of the 'VDatePicker' can accept a user created function and assign its output to the 'innerHTML' property of the title element without sanitization.

This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.

Note:
Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see  here https://v2.vuetifyjs.com/en/about/eol/ .