CVE-2026-24474 - Vulnerability Details - OpenCVE

Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a
https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69

History

Sat, 24 Jan 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue.
Title		Dioxus Components has JavaScript injection via user-supplied IDs
Weaknesses		CWE-94 CWE-95
References		https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-23T23:50:35.700Z

Updated: 2026-01-23T23:50:35.700Z

Reserved: 2026-01-23T00:38:20.547Z

Link: CVE-2026-24474

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-01-24T00:15:49.603

Modified: 2026-01-24T00:15:49.603

Link: CVE-2026-24474

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24474", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T00:38:20.547Z", "datePublished": "2026-01-23T23:50:35.700Z", "dateUpdated": "2026-01-23T23:50:35.700Z"}, "containers": {"cna": {"title": "Dioxus Components has JavaScript injection via user-supplied IDs", "problemTypes": [{"descriptions": [{"cweId": "CWE-95", "lang": "en", "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69"}, {"name": "https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a", "tags": ["x_refsource_MISC"], "url": "https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a"}], "affected": [{"vendor": "DioxusLabs", "product": "components", "versions": [{"version": "< 41e4242ecb1062d04ae42a5215363c1d9fd4e23a", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-23T23:50:35.700Z"}, "descriptions": [{"lang": "en", "value": "Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue."}], "source": {"advisory": "GHSA-34pj-292j-xr69", "discovery": "UNKNOWN"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue."}], "id": "CVE-2026-24474", "lastModified": "2026-01-24T00:15:49.603", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-24T00:15:49.603", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a"}, {"source": "security-advisories@github.com", "url": "https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-95"}], "source": "security-advisories@github.com", "type": "Primary"}]}