CVE-2025-53543

MEDIUM4.2Cross-site scripting

Description

Kestra is an event-driven orchestration platform. The error message in execution "Overview" tab is vulnerable to stored XSS due to improper handling of HTTP response received. This vulnerability is fixed in 0.22.0.

CVSS breakdown

CVSS 3.1

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

kestra-io / kestra< 0.22.0 – < 0.22.0

References

VENDOR_ADVISORYhttps://github.com/kestra-io/kestra/security/advisories/GHSA-qpj4-4r6r-wvf4

Updated 3m ago · 2 sources