diff --git a/vulnerabilities/AIKIDO-2026-10303.json b/vulnerabilities/AIKIDO-2026-10303.json
new file mode 100644
index 00000000..a1ce21f0
--- /dev/null
+++ b/vulnerabilities/AIKIDO-2026-10303.json
@@ -0,0 +1,26 @@
+{
+  "package_name": "@atomicfi/transact-javascript",
+  "patch_versions": [
+    "3.0.11"
+  ],
+  "vulnerable_ranges": [
+    [
+      "3.0.10",
+      "3.0.10"
+    ]
+  ],
+  "cwe": [
+    "CWE-20"
+  ],
+  "tldr": "Affected versions of this package allowed unvalidated user-controlled URLs to be passed directly to `window.open`, enabling arbitrary schemes such as `javascript:` or `data:` to be executed in a new browser context. This could allow an attacker to craft a malicious `payload.url` that executes JavaScript or redirects users to phishing pages when the link is opened. By injecting a specially crafted URL into the event handler, an attacker could trigger client-side script execution or malicious navigation. The patch mitigates this by parsing the URL and restricting navigation strictly to the `https:` protocol.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `@atomicfi/transact-javascript` library to the patch version.",
+  "vulnerable_to": "Improper Input Validation",
+  "related_cve_id": "",
+  "language": "JS",
+  "severity_class": "MEDIUM",
+  "aikido_score": 48,
+  "changelog": "https://github.com/atomicfi/atomic-transact-javascript/releases/tag/3.0.11",
+  "last_modified": "2026-03-06",
+  "published": "2026-03-06"
+}