Severity: Critical
CVSS Score: 9.1
Versions of `vant` prior to 2.1.8 are vulnerable to Cross-Site Scripting. The text value of the `Picker` component column is not sanitized, which may allow attackers to execute arbitrary JavaScript in a victim's browser. ## Recommendation Upgrade to version 2.1.8 or later.