CVE-2026-24474 – This vulnerability in Dioxus Components allows ... (How to Fix)

📋 TL;DR

This vulnerability in Dioxus Components allows arbitrary JavaScript code execution through user-supplied input in the `use_animated_open` function. It affects applications using vulnerable versions of the Dioxus Components library. Attackers can exploit this to execute malicious code in the context of the application.

💻 Affected Systems

Products:

Dioxus Components library

Versions: All versions prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the vulnerable `use_animated_open` function from Dioxus Components.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the application with remote code execution, data theft, and potential server takeover.

🟠

Likely Case

Cross-site scripting (XSS) attacks leading to session hijacking, data manipulation, or client-side attacks.

🟢

If Mitigated

Limited impact with proper input validation and content security policies in place.

🌐 Internet-Facing: HIGH - Web applications using this library are directly exposed to user input.

🏢 Internal Only: MEDIUM - Internal applications still process user input but have reduced attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user input to reach the vulnerable function, which is typical in web applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a

Vendor Advisory: https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69

Restart Required: No

Instructions:

1. Update Dioxus Components to include commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a
2. Rebuild and redeploy your application
3. Verify the fix by checking the commit hash in your dependencies

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for any user-supplied data passed to `use_animated_open`

Content Security Policy

all

Implement strict CSP headers to limit script execution

🧯 If You Can't Patch

Disable or remove usage of the `use_animated_open` function
Implement additional server-side validation for all user inputs

🔍 How to Verify

Check if Vulnerable:

Check if your Dioxus Components dependency includes commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a

Check Version:

Check your Cargo.toml or dependency lock file for Dioxus Components version

Verify Fix Applied:

Verify the commit hash in your project's dependency tree matches or exceeds 41e4242ecb1062d04ae42a5215363c1d9fd4e23a

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution patterns
Suspicious eval() calls with user input

Network Indicators:

Unexpected outbound connections from web application

SIEM Query:

Search for patterns of malicious JavaScript execution or eval() usage in application logs

📊 Metadata

CVE ID: CVE-2026-24474

CVSS v3 Score: N/A (Unknown)

CWE: CWE-94

EPSS Score: 0.02% exploit probability (4.7th percentile)

Published: January 24, 2026

Last Updated: January 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24474, you might also want to check these: