https://feed.craftedsignal.io/tags/cve-2026-33664/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 27 Mar 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-03-kestra-xss/Fri, 27 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-kestra-xss/Kestra versions up to 1.3.3 are vulnerable to a cross-site scripting (XSS) vulnerability (CVE-2026-33664) allowing arbitrary JavaScript execution by viewing crafted flow metadata.Kestra, an open-source, event-driven orchestration platform, is vulnerable to a reflected cross-site scripting (XSS) vulnerability, identified as CVE-2026-33664. This flaw resides in versions up to and including 1.3.3. The application fails to properly sanitize user-supplied flow YAML metadata fields, specifically description, inputs[].displayName, and inputs[].description. These fields are rendered through the Markdown.vue component with html: true, resulting in unsanitized HTML…

]]>highadvisorykestraxsscve-2026-33664orchestration