CVE-2026-29082
Published: 06 March 2026
Summary
CVE-2026-29082 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Kestra Kestra. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-29082 is a cross-site scripting (XSS) vulnerability (CWE-79) in Kestra, an event-driven orchestration platform. It affects versions 1.1.10 and prior, where the execution-file preview feature renders user-supplied Markdown (.md) files using markdown-it with the html:true option. The resulting HTML is then injected via Vue's v-html directive without any sanitization, enabling arbitrary script execution in the context of the preview page. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by uploading a malicious .md file containing HTML/JavaScript payloads. Exploitation requires low attacker complexity (AC:L) and user interaction (UI:R), such as tricking a victim into previewing the file through Kestra's execution-file preview interface. Successful exploitation allows the attacker to achieve high-impact confidentiality and integrity violations (C:H/I:H), such as stealing session cookies, keystrokes, or other sensitive data from the victim's browser, or modifying the page content, with no availability impact (A:N) and no change in scope (S:U).
The GitHub security advisory (GHSA-r36c-83hm-pc8j) and release notes for v1.0.30 provide further details, though at the time of publication on 2026-03-06, no publicly available patches were reported. Security practitioners should monitor the Kestra repository for updates and consider disabling or restricting file preview functionality until mitigation is confirmed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10046
Vulnerability details
Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown (.md) with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html without sanitisation. At time of publication, there are…
more
no publicly available patches.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in Kestra web preview allows network exploitation of public-facing app (T1190) to run arbitrary JavaScript (T1059.007) for cookie theft/keylogging.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of untrusted Markdown input before it is rendered as HTML, directly blocking the unsanitized v-html injection path in the execution-file preview.
Mandates filtering of information output to remove or neutralize active content such as scripts, addressing the lack of sanitization when markdown-it HTML is injected via v-html.
Provides malicious-code detection and blocking mechanisms that can identify and stop execution of attacker-supplied JavaScript payloads delivered through the Markdown preview feature.