{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27627", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T22:02:30.027Z", "datePublished": "2026-02-25T03:48:07.431Z", "dateUpdated": "2026-02-25T21:20:03.257Z"}, "containers": {"cna": {"title": "Karakeep's Reddit plugin content bypasses DOMPurify sanitization, enabling stored XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/karakeep-app/karakeep/security/advisories/GHSA-mg93-f9mw-wpgj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/karakeep-app/karakeep/security/advisories/GHSA-mg93-f9mw-wpgj"}, {"name": "https://github.com/karakeep-app/karakeep/commit/ba3db953c0d8675e2e3ecc29113a332b570b2cb9", "tags": ["x_refsource_MISC"], "url": "https://github.com/karakeep-app/karakeep/commit/ba3db953c0d8675e2e3ecc29113a332b570b2cb9"}, {"name": "https://github.com/karakeep-app/karakeep/releases/tag/v0.31.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/karakeep-app/karakeep/releases/tag/v0.31.0"}], "affected": [{"vendor": "karakeep-app", "product": "karakeep", "versions": [{"version": "= 0.30.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T03:48:07.431Z"}, "descriptions": [{"lang": "en", "value": "Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify, but the Reddit path skips both. Since this content ends up in `dangerouslySetInnerHTML` in the reader view, any malicious HTML in the Reddit response gets executed in the user's browser. Version 0.31.0 contains a patch for this issue."}], "source": {"advisory": "GHSA-mg93-f9mw-wpgj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T21:19:52.460762Z", "id": "CVE-2026-27627", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:20:03.257Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27627", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T21:19:52.460762Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:19:58.400Z"}}], "cna": {"title": "Karakeep's Reddit plugin content bypasses DOMPurify sanitization, enabling stored XSS", "source": {"advisory": "GHSA-mg93-f9mw-wpgj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "karakeep-app", "product": "karakeep", "versions": [{"status": "affected", "version": "= 0.30.0"}]}], "references": [{"url": "https://github.com/karakeep-app/karakeep/security/advisories/GHSA-mg93-f9mw-wpgj", "name": "https://github.com/karakeep-app/karakeep/security/advisories/GHSA-mg93-f9mw-wpgj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/karakeep-app/karakeep/commit/ba3db953c0d8675e2e3ecc29113a332b570b2cb9", "name": "https://github.com/karakeep-app/karakeep/commit/ba3db953c0d8675e2e3ecc29113a332b570b2cb9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/karakeep-app/karakeep/releases/tag/v0.31.0", "name": "https://github.com/karakeep-app/karakeep/releases/tag/v0.31.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify, but the Reddit path skips both. Since this content ends up in `dangerouslySetInnerHTML` in the reader view, any malicious HTML in the Reddit response gets executed in the user's browser. Version 0.31.0 contains a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T03:48:07.431Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27627", "state": "PUBLISHED", "dateUpdated": "2026-02-25T21:20:03.257Z", "dateReserved": "2026-02-20T22:02:30.027Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T03:48:07.431Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:localhostlabs:karakeep:0.30.0:*:*:*:*:-:*:*", "matchCriteriaId": "004A66CE-C6A3-44FD-BAA3-A73F3DE8E85D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify, but the Reddit path skips both. Since this content ends up in `dangerouslySetInnerHTML` in the reader view, any malicious HTML in the Reddit response gets executed in the user's browser. Version 0.31.0 contains a patch for this issue."}, {"lang": "es", "value": "Karakeep es una aplicaci\u00f3n autohospedable para marcar (bookmark) todo. En la versi\u00f3n 0.30.0, cuando el plugin metascraper de Reddit devuelve 'readableContentHtml', el subproceso de an\u00e1lisis HTML lo utiliza directamente sin pasarlo por DOMPurify. Cada fuente de contenido diferente en el rastreador pasa por Readability + DOMPurify, pero la ruta de Reddit omite ambos. Dado que este contenido termina en 'dangerouslySetInnerHTML' en la vista de lectura, cualquier HTML malicioso en la respuesta de Reddit se ejecuta en el navegador del usuario. La versi\u00f3n 0.31.0 contiene un parche para este problema."}], "id": "CVE-2026-27627", "lastModified": "2026-03-10T18:51:43.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-25T04:16:03.757", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/karakeep-app/karakeep/commit/ba3db953c0d8675e2e3ecc29113a332b570b2cb9"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/karakeep-app/karakeep/releases/tag/v0.31.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/karakeep-app/karakeep/security/advisories/GHSA-mg93-f9mw-wpgj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.30.0"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "karakeep", "source": "cna", "vendor": "karakeep-app"}, "product": "karakeep", "vendor": "karakeep"}], "analysis": {"en": {"generated_at": "2026-04-17T15:27:12.640599+00:00", "value": {"mitigation_remediation": ["Upgrade Karakeep to version 0.31.0 or later, which restores DOMPurify sanitization for Reddit content.", "If an upgrade is not yet possible, disable or remove the Reddit metascraper plugin to block the unfiltered content from being rendered.", "Alternatively, configure the application to enforce sanitization on all crawled content or remove the use of dangerouslySetInnerHTML for rendered posts."], "summary": {"action": "Patch Now", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Karakeep for version 0.30.0. The affected product is Karakeep, a locally\u2011hosted bookmark\u2011management application. The known CPE is cpe:2.3:a:localhostlabs:karakeep:0.30.0, and the vendor is listed as karakeep-app.", "description_and_impact": "Karakeep's Reddit metascraper plugin bypasses DOMPurify sanitization, resulting in stored cross\u2011site scripting when malicious HTML is returned from Reddit. The vulnerable plugin forwards redditContentHtml directly into dangerouslySetInnerHTML in the reader view, a path protected by no sanitization. This constitutes a classic stored XSS weakness (CWE\u201179) that allows an attacker to execute arbitrary client\u2011side code for any user viewing the affected content.", "risk_and_exploitability": "The CVSS score of 8.2 indicates high severity, and the EPSS score is below 1%, implying a very low, but non\u2011zero, likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Attackers can embed malicious scripts into Reddit posts that are parsed by the vulnerable plugin; when a user opens the Readable view, the browser executes the injected code. This results in client\u2011side compromise without requiring privileged system access, and can affect any user who views the affected Reddit content through Karakep."}}}}, "created": "2026-02-25T11:34:43.237376+00:00", "updated": "2026-04-17T15:30:06.035514+00:00", "vendors": ["karakeep", "karakeep$PRODUCT$karakeep"]}