The Phoenix.LiveView.Utils.valid_destination!/2 and Phoenix.LiveView.Utils.valid_live_navigation_destination!/2 functions in lib/phoenix_live_view/utils.ex rely on an internal uri_scheme/1 helper that only detects a scheme when the input's first byte is an ASCII letter. Inputs beginning with an ASCII control character or space fall through to a nil-returning clause, causing the URL to be treated as a safe relative path.
Standard browsers implement the WHATWG URL parser, which strips leading C0 control and space characters before parsing. As a result, an input such as " javascript:alert(1)" is passed unchanged into <.link href={...}> and, when clicked, is parsed by the browser as a javascript: URL that executes attacker-controlled script in the victim's session.
Applications that render user-supplied URLs (for example profile links, redirect targets, or external references) via <.link href={...}> are affected.
This issue affects phoenix_live_view: from 1.2.2 before 1.2.7.
Analysis and contextual insights are available on OpenCVE Cloud.
Vendor Workaround
Strip leading ASCII control and space bytes (code points 0x00 through 0x20) from any untrusted URL before passing it to <.link href={...}>, or reject such inputs outright. This aligns application-level validation with the WHATWG URL parser used by browsers and prevents the scheme-detection bypass.
Tracking
Sign in to view the affected projects.
No advisories yet.
Mon, 13 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 13 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Cross-site scripting vulnerability in phoenixframework phoenix_live_view allows an attacker to bypass URL scheme validation and execute JavaScript in a victim's browser session. The Phoenix.LiveView.Utils.valid_destination!/2 and Phoenix.LiveView.Utils.valid_live_navigation_destination!/2 functions in lib/phoenix_live_view/utils.ex rely on an internal uri_scheme/1 helper that only detects a scheme when the input's first byte is an ASCII letter. Inputs beginning with an ASCII control character or space fall through to a nil-returning clause, causing the URL to be treated as a safe relative path. Standard browsers implement the WHATWG URL parser, which strips leading C0 control and space characters before parsing. As a result, an input such as " javascript:alert(1)" is passed unchanged into <.link href={...}> and, when clicked, is parsed by the browser as a javascript: URL that executes attacker-controlled script in the victim's session. Applications that render user-supplied URLs (for example profile links, redirect targets, or external references) via <.link href={...}> are affected. This issue affects phoenix_live_view: from 1.2.2 before 1.2.7. | |
| Title | Scheme validation bypass in Phoenix.LiveView.Utils leads to XSS via <.link> | |
| First Time appeared |
Phoenixframework
Phoenixframework phoenix Live View |
|
| Weaknesses | CWE-79 | |
| CPEs | cpe:2.3:a:phoenixframework:phoenix_live_view:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Phoenixframework
Phoenixframework phoenix Live View |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: EEF
Published:
Updated: 2026-07-13T18:58:51.407Z
Reserved: 2026-06-29T18:54:08.633Z
Link: CVE-2026-58228
Updated: 2026-07-13T18:58:43.613Z
No data.
No data.
OpenCVE Enrichment
No data.