CVE-2026-27627

{"id": "CVE-2026-27627", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2026-02-25T04:16:03.757", "references": [{"url": "https://github.com/karakeep-app/karakeep/commit/ba3db953c0d8675e2e3ecc29113a332b570b2cb9", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/karakeep-app/karakeep/releases/tag/v0.31.0", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/karakeep-app/karakeep/security/advisories/GHSA-mg93-f9mw-wpgj", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify, but the Reddit path skips both. Since this content ends up in `dangerouslySetInnerHTML` in the reader view, any malicious HTML in the Reddit response gets executed in the user's browser. Version 0.31.0 contains a patch for this issue."}, {"lang": "es", "value": "Karakeep es una aplicaci\u00f3n autohospedable para marcar (bookmark) todo. En la versi\u00f3n 0.30.0, cuando el plugin metascraper de Reddit devuelve 'readableContentHtml', el subproceso de an\u00e1lisis HTML lo utiliza directamente sin pasarlo por DOMPurify. Cada fuente de contenido diferente en el rastreador pasa por Readability + DOMPurify, pero la ruta de Reddit omite ambos. Dado que este contenido termina en 'dangerouslySetInnerHTML' en la vista de lectura, cualquier HTML malicioso en la respuesta de Reddit se ejecuta en el navegador del usuario. La versi\u00f3n 0.31.0 contiene un parche para este problema."}], "lastModified": "2026-03-10T18:51:43.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:localhostlabs:karakeep:0.30.0:*:*:*:*:-:*:*", "vulnerable": true, "matchCriteriaId": "004A66CE-C6A3-44FD-BAA3-A73F3DE8E85D"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}