Critical XSS Vulnerability in Vue.js Frontend Exposes Users to Script Injection via Unsanitized v-html Rendering

A documented XSS vulnerability in the frontend codebase exposes users to arbitrary JavaScript execution through unsanitized v-html directives in Vue.js components. The vulnerability affects markdown report rendering and knowledge graph entity descriptions, with LLM-generated content identified as a particularly high-risk input source.

The issue centers on `frontend/src/App.vue`, where the application uses `v-html` to render `renderedReport` — a computed property that processes raw markdown content through the `marked()` function without sanitization. A secondary vulnerability exists in the knowledge graph display component, where `entity.description` fields sourced directly from LLM output are rendered without sanitization. Since LLM-generated content is treated as completely untrusted input in the issue report, this creates a pathway for malicious HTML or JavaScript injection.

The documented impact includes script execution via XSS, data exfiltration through stolen cookies and tokens, phishing attacks using fake UI elements, and specifically LLM output injection where the language model itself could output malicious HTML. A proposed fix involves implementing DOMPurify sanitization before rendering, with configurable ALLOWED_TAGS to permit only safe markdown elements. The vulnerability remains unfixed as of this documentation, leaving affected components exposed to client-side attacks.