{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27469", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-19T17:25:31.101Z", "datePublished": "2026-02-21T07:24:38.971Z", "dateUpdated": "2026-02-24T18:50:07.650Z"}, "containers": {"cna": {"title": "Isso: Stored XSS via comment website field", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/isso-comments/isso/security/advisories/GHSA-9fww-8cpr-q66r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/isso-comments/isso/security/advisories/GHSA-9fww-8cpr-q66r"}, {"name": "https://github.com/isso-comments/isso/commit/0afbfe0691ee237963e8fb0b2ee01c9e55ca2144", "tags": ["x_refsource_MISC"], "url": "https://github.com/isso-comments/isso/commit/0afbfe0691ee237963e8fb0b2ee01c9e55ca2144"}, {"name": "https://docs.python.org/3/library/html.html#html.escape", "tags": ["x_refsource_MISC"], "url": "https://docs.python.org/3/library/html.html#html.escape"}], "affected": [{"vendor": "isso-comments", "product": "isso", "versions": [{"version": "< 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T07:24:38.971Z"}, "descriptions": [{"lang": "en", "value": "Isso is a lightweight commenting server written in Python and JavaScript. In commits before 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, there is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick). The same escaping is missing entirely from the user-facing comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id//edit/). This issue has been patched in commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144. To workaround, nabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, raising the bar for exploitation, but it does not fully mitigate the issue since a moderator activating a malicious comment would still expose visitors."}], "source": {"advisory": "GHSA-9fww-8cpr-q66r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:49:50.634395Z", "id": "CVE-2026-27469", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:50:07.650Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27469", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T18:49:50.634395Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:50:00.100Z"}}], "cna": {"title": "Isso: Stored XSS via comment website field", "source": {"advisory": "GHSA-9fww-8cpr-q66r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "isso-comments", "product": "isso", "versions": [{"status": "affected", "version": "< 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144"}]}], "references": [{"url": "https://github.com/isso-comments/isso/security/advisories/GHSA-9fww-8cpr-q66r", "name": "https://github.com/isso-comments/isso/security/advisories/GHSA-9fww-8cpr-q66r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/isso-comments/isso/commit/0afbfe0691ee237963e8fb0b2ee01c9e55ca2144", "name": "https://github.com/isso-comments/isso/commit/0afbfe0691ee237963e8fb0b2ee01c9e55ca2144", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.python.org/3/library/html.html#html.escape", "name": "https://docs.python.org/3/library/html.html#html.escape", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Isso is a lightweight commenting server written in Python and JavaScript. In commits before 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, there is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick). The same escaping is missing entirely from the user-facing comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id//edit/). This issue has been patched in commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144. To workaround, nabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, raising the bar for exploitation, but it does not fully mitigate the issue since a moderator activating a malicious comment would still expose visitors."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T07:24:38.971Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27469", "state": "PUBLISHED", "dateUpdated": "2026-02-24T18:50:07.650Z", "dateReserved": "2026-02-19T17:25:31.101Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-21T07:24:38.971Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Isso is a lightweight commenting server written in Python and JavaScript. In commits before 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, there is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick). The same escaping is missing entirely from the user-facing comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id//edit/). This issue has been patched in commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144. To workaround, nabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, raising the bar for exploitation, but it does not fully mitigate the issue since a moderator activating a malicious comment would still expose visitors."}, {"lang": "es", "value": "Isso es un servidor de comentarios ligero escrito en Python y JavaScript. En commits anteriores a 0afbfe0691ee237963e3fb0b2ee01c9e55ca2144, existe una vulnerabilidad de cross-site scripting (XSS) almacenado que afecta los campos de sitio web y de comentario del autor. El campo del sitio web fue escapado en HTML usando quote=False, lo que dej\u00f3 las comillas simples y dobles sin escapar. Dado que el frontend inserta el valor del sitio web directamente en un atributo href entre comillas simples mediante concatenaci\u00f3n de cadenas, una comilla simple en la URL rompe el contexto del atributo, permitiendo la inyecci\u00f3n de manejadores de eventos arbitrarios (p. ej. onmouseover, onclick). El mismo escape est\u00e1 completamente ausente del endpoint de edici\u00f3n de comentarios para el usuario (PUT /id/) y del endpoint de edici\u00f3n de moderaci\u00f3n (POST /id//edit/). Este problema ha sido parcheado en el commit 0afbfe0691ee237963e3fb0b2ee01c9e55ca2144. Como soluci\u00f3n alternativa, habilitar la moderaci\u00f3n de comentarios (moderation = enabled = true en isso.cfg) evita que los usuarios no autenticados publiquen comentarios, elevando la dificultad para la explotaci\u00f3n, pero no mitiga completamente el problema ya que un moderador que active un comentario malicioso a\u00fan expondr\u00eda a los visitantes."}], "id": "CVE-2026-27469", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-21T08:16:11.993", "references": [{"source": "security-advisories@github.com", "url": "https://docs.python.org/3/library/html.html#html.escape"}, {"source": "security-advisories@github.com", "url": "https://github.com/isso-comments/isso/commit/0afbfe0691ee237963e8fb0b2ee01c9e55ca2144"}, {"source": "security-advisories@github.com", "url": "https://github.com/isso-comments/isso/security/advisories/GHSA-9fww-8cpr-q66r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0afbfe0691ee237963e8fb0b2ee01c9e55ca2144)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "isso", "source": "cna", "vendor": "isso-comments"}, "product": "isso", "vendor": "isso-comments"}], "analysis": {"en": {"generated_at": "2026-04-17T16:50:16.148407+00:00", "value": {"mitigation_remediation": ["Upgrade Isso to the latest release that includes commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, which applies proper escaping to the website and comment fields.", "If an immediate update is not feasible, enable comment moderation in isso.cfg (moderation = true) to block unauthenticated comment posting, thereby limiting the attack surface. Note that a trusted moderator could still publish a malicious comment, so this is only a temporary mitigation.", "Review the configuration and any custom templating to ensure that all user\u2011supplied content\u2014especially the website field\u2014is properly escaped or sanitized before rendering to prevent future XSS flaws."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting in the comment website field"}, "threat_synthesis": {"affected_systems": "Isso commenting server. Any version of Isso prior to commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144 is affected. The vulnerability exists in the website field, comment edit endpoint (PUT /id/), and moderation edit endpoint (POST /id//edit/).", "description_and_impact": "Essa vulnerability allows an attacker to store malicious JavaScript by injecting it into the website or comment fields of a comment. The unsanitized input, lacking proper escaping of single and double quotes, can break out of an HTML attribute on the page and bind arbitrary event handlers such as onmouseover or onclick. When a victim loads a page containing the comment, the injected script runs in the context of the site, potentially defacing the page, stealing credentials, or redirecting to malicious sites. The flaw is a classic stored XSS, controlled by the attacker but displayed to all visitors, leading to confidentiality and integrity compromise. The associated weaknesses are improper input validation (CWE\u2011116) and lack of output escaping (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.1 indicates a medium severity. EPSS <1% shows a very low likelihood of exploitation at the time of analysis, and it is not listed in CISA\u2019s KEV catalog. Likely attack vectors are web\u2011based: an attacker can submit a comment or edit an existing one when authentication or moderator approval is possible. If moderation is disabled, unauthenticated users can publish comments, raising the exploitation bar. The stored nature of the payload means the impact persists for all page visitors until the comment is removed or the site is updated."}}}}, "created": "2026-02-23T14:32:22.441376+00:00", "updated": "2026-04-17T17:00:10.170785+00:00", "vendors": ["isso-comments", "isso-comments$PRODUCT$isso"]}