QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-53892

Back to search

CVE-2025-53892

Published: Jul 16, 2025

Modified: Jul 22, 2025

PUBLISHED

Description

Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue.

VendorProductVersions

intlify

vue-i18n

affected
>= 9.0.0, < 9.14.5
affected
>= 10.0.0, < 10.0.8
affected
>= 11.0.0, < 11.1.0

Weaknesses (CWE)

CWE-79

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now