{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33664/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kestra","xss","cve-2026-33664","orchestration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eKestra, an open-source, event-driven orchestration platform, is vulnerable to a reflected cross-site scripting (XSS) vulnerability, identified as CVE-2026-33664. This flaw resides in versions up to and including 1.3.3. The application fails to properly sanitize user-supplied flow YAML metadata fields, specifically \u003ccode\u003edescription\u003c/code\u003e, \u003ccode\u003einputs[].displayName\u003c/code\u003e, and \u003ccode\u003einputs[].description\u003c/code\u003e. These fields are rendered through the \u003ccode\u003eMarkdown.vue\u003c/code\u003e component with \u003ccode\u003ehtml: true\u003c/code\u003e, resulting in unsanitized HTML…\u003c/p\u003e\n","date_modified":"2026-03-27T12:00:00Z","date_published":"2026-03-27T12:00:00Z","id":"/briefs/2026-03-kestra-xss/","summary":"Kestra versions up to 1.3.3 are vulnerable to a cross-site scripting (XSS) vulnerability (CVE-2026-33664) allowing arbitrary JavaScript execution by viewing crafted flow metadata.","title":"Kestra Orchestration Platform XSS Vulnerability (CVE-2026-33664)","url":"https://feed.craftedsignal.io/briefs/2026-03-kestra-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33664","version":"https://jsonfeed.org/version/1.1"}