CVE-2026-27701
- Source
- https://cve.org/CVERecord?id=CVE-2026-27701
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27701.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-27701
- Aliases
-
- GHSA-xh9w-5859-x97j
- Published
- 2026-02-25T15:06:17.617Z
- Modified
- 2026-03-02T00:46:28.632367Z
- Severity
-
- 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N CVSS Calculator
- Summary
- LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow
- Details
-
LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's
i18n-update-pullGitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated directly into aactions/github-scriptJavaScript block using a GitHub Actions template expression. An attacker who opens a PR with a crafted title can inject arbitrary JavaScript that executes with the privileges of the CI bot token (CI_APP_ID/CI_APP_PRIVATE_KEY), enabling exfiltration of repository secrets and unauthorized GitHub API operations. Commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 fixes the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27701.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-94" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27701.json
- https://github.com/live-codes/livecodes/commit/e151c64c2bd80d2d53ac1333f1df9429fe6a1a11
- https://github.com/live-codes/livecodes/security/advisories/GHSA-xh9w-5859-x97j
- https://nvd.nist.gov/vuln/detail/CVE-2026-27701
Affected packages
Git / github.com/live-codes/livecodes
Affected ranges
- Type
- GIT
- Repo
- https://github.com/live-codes/livecodes
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
hotfix2
v10
v11
v12
v13
v14
v15
v16
v17
v18
v19
v20
v21
v22
v23
v24
v25
v26
v27
v28
v29
v3
v30
v31
v32
v33
v34
v35
v36
v37
v38
v39
v4
v42
v43
v44
v45
v46
v47
v48
v5
v6
v7
v8
v9
sdk-v0.*
sdk-v0.0.3
sdk-v0.1.0
sdk-v0.1.1
sdk-v0.1.2
sdk-v0.10.0
sdk-v0.11.0
sdk-v0.11.1
sdk-v0.12.0
sdk-v0.13.0
sdk-v0.2.0
sdk-v0.2.1
sdk-v0.3.0
sdk-v0.4.0
sdk-v0.5.0
sdk-v0.6.0
sdk-v0.7.0
sdk-v0.7.1
sdk-v0.7.2
sdk-v0.8.0
sdk-v0.9.0
sdk-v0.9.1
v0.*
v0.1.0
v0.2.0
v0.3.0
v0.4.0
v0.7.0