CVE-2026-27469

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27469
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27469.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27469
Aliases
Published
2026-02-21T07:24:38.971Z
Modified
2026-04-02T13:20:21.498539Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Isso: Stored XSS via comment website field
Details

Isso is a lightweight commenting server written in Python and JavaScript. In commits before 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, there is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick). The same escaping is missing entirely from the user-facing comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id//edit/). This issue has been patched in commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144. To workaround, nabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, raising the bar for exploitation, but it does not fully mitigate the issue since a moderator activating a malicious comment would still expose visitors.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27469.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-116",
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/isso-comments/isso

Affected ranges

Type
GIT
Repo
https://github.com/isso-comments/isso
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0afbfe0691ee237963e8fb0b2ee01c9e55ca2144

Affected versions

0.*
0.10
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.10.6+git20181001+dfsg-1
0.11.0
0.11.1
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
0.12.6
0.12.6-pre
0.12.6.1
0.12.6.2
0.13.0
0.13.0.beta0
0.13.1.dev0
0.2
0.2.1
0.2.2
0.2.3
0.3
0.3.1
0.4
0.4.1
0.5
0.5.1
0.5.2
0.5.3
0.6
0.6.1
0.7
0.7.1
0.8
0.8.1
0.8.2
0.8.3
0.9
0.9.1
0.9.10
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
archive/debian/0.*
archive/debian/0.10.6-2
debian/0.*
debian/0.10.4-1
debian/0.10.6+git20170928+dfsg-1
debian/0.10.6+git20181001+dfsg-1
debian/0.10.6-1
debian/0.10.6-2
debian/0.11.1-1
debian/0.11.1-2
debian/0.11.1-3
debian/0.12.0-1
debian/0.12.2-1
debian/0.12.2-2
debian/0.12.2-3
debian/0.12.2-4
debian/0.9.4-1
debian/0.9.7-1
debian/0.9.8-1
debian/0.9.9-1
social-0.*
social-0.10.7.3
social-0.10.7.4
social-0.10.7.5
upstream/0.*
upstream/0.10.3
upstream/0.10.4
upstream/0.10.6
upstream/0.10.6+git20170927
upstream/0.10.6+git20170927+dfsg
upstream/0.10.6+git20170928
upstream/0.10.6+git20170928+dfsg
upstream/0.10.6+git20181001+dfsg
upstream/0.11.1
upstream/0.12.0
upstream/0.12.1
upstream/0.12.2
upstream/0.12.4
upstream/0.9.10
upstream/0.9.2
upstream/0.9.4
upstream/0.9.7
upstream/0.9.8
upstream/0.9.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27469.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "0afbfe0691ee237963e8fb0b2ee01c9e55ca2144"
            }
        ]
    }
]