TROYANOSYVIRUS
Retour aux CVEs

CVE-2026-27612

MEDIUM
6.1

Description

Repostat is a React component to fetch and display GitHub repository info. Prior to version 1.0.1, the `RepoCard` component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occurs because the component uses React's `dangerouslySetInnerHTML` to render the repository name (`repo` prop) during the loading state without any sanitization. If a developer using this package passes unvalidated user input directly into the `repo` prop (for example, reading it from a URL query parameter), an attacker can execute arbitrary JavaScript in the context of the user's browser. In version 1.0.1, the use of dangerouslySetInnerHTML has been removed, and the repo prop is now safely rendered using standard React JSX data binding, which automatically escapes HTML entities.

Details CVE

Score CVSS v3.16.1
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurREQUIRED
Publie2/25/2026
Derniere modification2/27/2026
Sourcenvd
Observations honeypot0

Produits affectes

denpiligrim:repostat

Faiblesses (CWE)

CWE-79

References

https://github.com/denpiligrim/repostat/commit/715df5f73359d222fd7876e948d14290180e3c88(security-advisories@github.com)
https://github.com/denpiligrim/repostat/security/advisories/GHSA-fm8c-6m29-rp6j(security-advisories@github.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.