CVE-2026-57958 | Mixpost through 2.6.0 contains a reflected cross-site script… | CVSS 6.1 MEDIUM

Description

Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth callback controller's failure to sanitize error parameters before rendering them through Laravel flash messages via the Vue v-html directive to hijack authenticated user sessions or perform unauthorized actions.

Metadata

CVE ID: CVE-2026-57958
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-26 13:59 UTC
Published: 2026-06-29 17:23 UTC
Last updated: 2026-06-29 18:08 UTC
Primary CWE: CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product: inovector / mixpost
Sources: cve.org · NVD

Severity & Metrics

6.1 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
inovector	mixpost	—	0 ≤ 2.6.0

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.1	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.1	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References (2)