CVE-2026-24474 is a vulnerability classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and CWE-94 (Code Injection) affecting the DioxusLabs Dioxus Components library, a UI component library for the Dioxus app framework. The vulnerability exists in the `use_animated_open` function prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, where a string is formatted for evaluation via JavaScript's eval function using an `id` parameter that can be controlled by an attacker. Because eval executes code represented as a string, if the input is not properly sanitized, an attacker can inject malicious code that will be executed in the application's runtime context. This can lead to arbitrary code execution, potentially compromising the confidentiality and integrity of the application and its data. The vulnerability is remotely exploitable without authentication but requires user interaction, such as triggering the vulnerable component with crafted input. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact and ease of exploitation. The issue was patched by removing or properly sanitizing the eval usage in the specified commit. No known exploits have been reported in the wild as of the publication date. This vulnerability highlights the risks of using eval with user-supplied data in frontend frameworks and the importance of secure coding practices in component libraries.

For European organizations, the impact of CVE-2026-24474 depends on their use of the Dioxus framework and the affected component library versions. Exploitation could allow attackers to execute arbitrary code within the context of affected web applications, potentially leading to data leakage, unauthorized actions, or further compromise of backend systems if the frontend is trusted. This could affect confidentiality and integrity of sensitive information processed or displayed by the application. Availability impact is limited as the vulnerability does not directly cause denial of service. The requirement for user interaction means phishing or social engineering could be used to trigger the exploit. Organizations in sectors with high reliance on modern web applications and Rust-based frameworks, such as technology companies, financial services, and critical infrastructure operators, may face higher risks. Additionally, regulatory requirements under GDPR emphasize the protection of personal data, so exploitation leading to data breaches could have legal and reputational consequences.

1. Immediately update all Dioxus Components libraries to versions including or after commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a to ensure the vulnerability is patched. 2. Conduct a thorough code review of any custom components or application code that uses eval or similar dynamic code execution functions, especially where user input is involved, to identify and remediate unsafe patterns. 3. Implement strict input validation and sanitization on all user-supplied data that could be used in dynamic code contexts. 4. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and eval usage in web applications, reducing the risk of code injection exploitation. 5. Monitor application logs and user activity for unusual behavior that could indicate attempted exploitation. 6. Educate developers on the risks of eval and dynamic code execution, promoting safer alternatives such as direct function calls or templating engines that do not rely on eval. 7. In deployment environments, consider sandboxing or isolating components that handle user input to limit the blast radius of potential exploits.