{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27701", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-23T17:56:51.202Z", "datePublished": "2026-02-25T15:06:17.617Z", "dateUpdated": "2026-02-27T17:00:20.183Z"}, "containers": {"cna": {"title": "LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/live-codes/livecodes/security/advisories/GHSA-xh9w-5859-x97j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/live-codes/livecodes/security/advisories/GHSA-xh9w-5859-x97j"}, {"name": "https://github.com/live-codes/livecodes/commit/e151c64c2bd80d2d53ac1333f1df9429fe6a1a11", "tags": ["x_refsource_MISC"], "url": "https://github.com/live-codes/livecodes/commit/e151c64c2bd80d2d53ac1333f1df9429fe6a1a11"}], "affected": [{"vendor": "live-codes", "product": "livecodes", "versions": [{"version": "< e151c64c2bd80d2d53ac1333f1df9429fe6a1a11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T15:06:17.617Z"}, "descriptions": [{"lang": "en", "value": "LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's `i18n-update-pull` GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated directly into a `actions/github-script` JavaScript block using a GitHub Actions template expression. An attacker who opens a PR with a crafted title can inject arbitrary JavaScript that executes with the privileges of the CI bot token (`CI_APP_ID` / `CI_APP_PRIVATE_KEY`), enabling exfiltration of repository secrets and unauthorized GitHub API operations. Commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 fixes the issue."}], "source": {"advisory": "GHSA-xh9w-5859-x97j", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/live-codes/livecodes/security/advisories/GHSA-xh9w-5859-x97j", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T17:00:13.015820Z", "id": "CVE-2026-27701", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:00:20.183Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27701", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-27T17:00:13.015820Z"}}}], "references": [{"url": "https://github.com/live-codes/livecodes/security/advisories/GHSA-xh9w-5859-x97j", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:00:03.561Z"}}], "cna": {"title": "LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow", "source": {"advisory": "GHSA-xh9w-5859-x97j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "live-codes", "product": "livecodes", "versions": [{"status": "affected", "version": "< e151c64c2bd80d2d53ac1333f1df9429fe6a1a11"}]}], "references": [{"url": "https://github.com/live-codes/livecodes/security/advisories/GHSA-xh9w-5859-x97j", "name": "https://github.com/live-codes/livecodes/security/advisories/GHSA-xh9w-5859-x97j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/live-codes/livecodes/commit/e151c64c2bd80d2d53ac1333f1df9429fe6a1a11", "name": "https://github.com/live-codes/livecodes/commit/e151c64c2bd80d2d53ac1333f1df9429fe6a1a11", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's `i18n-update-pull` GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated directly into a `actions/github-script` JavaScript block using a GitHub Actions template expression. An attacker who opens a PR with a crafted title can inject arbitrary JavaScript that executes with the privileges of the CI bot token (`CI_APP_ID` / `CI_APP_PRIVATE_KEY`), enabling exfiltration of repository secrets and unauthorized GitHub API operations. Commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T15:06:17.617Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27701", "state": "PUBLISHED", "dateUpdated": "2026-02-27T17:00:20.183Z", "dateReserved": "2026-02-23T17:56:51.202Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T15:06:17.617Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's `i18n-update-pull` GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated directly into a `actions/github-script` JavaScript block using a GitHub Actions template expression. An attacker who opens a PR with a crafted title can inject arbitrary JavaScript that executes with the privileges of the CI bot token (`CI_APP_ID` / `CI_APP_PRIVATE_KEY`), enabling exfiltration of repository secrets and unauthorized GitHub API operations. Commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 fixes the issue."}, {"lang": "es", "value": "LiveCode es un entorno de pruebas de c\u00f3digo de c\u00f3digo abierto, del lado del cliente. Antes del commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, el flujo de trabajo de GitHub Actions 'i18n-update-pull' de LiveCode es vulnerable a la inyecci\u00f3n de JavaScript. El t\u00edtulo de la Pull Request asociado con el comentario de la incidencia que lo activa se interpola directamente en un bloque de JavaScript 'actions/github-script' utilizando una expresi\u00f3n de plantilla de GitHub Actions. Un atacante que abre una PR con un t\u00edtulo manipulado puede inyectar JavaScript arbitrario que se ejecuta con los privilegios del token del bot de CI ('CI_APP_ID' / 'CI_APP_PRIVATE_KEY'), lo que permite la exfiltraci\u00f3n de secretos del repositorio y operaciones no autorizadas de la API de GitHub. El commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 soluciona el problema."}], "id": "CVE-2026-27701", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T16:23:26.613", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/live-codes/livecodes/commit/e151c64c2bd80d2d53ac1333f1df9429fe6a1a11"}, {"source": "security-advisories@github.com", "url": "https://github.com/live-codes/livecodes/security/advisories/GHSA-xh9w-5859-x97j"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/live-codes/livecodes/security/advisories/GHSA-xh9w-5859-x97j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,e151c64c2bd80d2d53ac1333f1df9429fe6a1a11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "livecodes", "source": "cna", "vendor": "live-codes"}, "product": "livecodes", "vendor": "live-codes"}], "analysis": {"en": {"generated_at": "2026-04-17T15:14:46.757451+00:00", "value": {"mitigation_remediation": ["Apply the fix included in commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 or upgrade to a newer release of LiveCodes.", "Disable or modify the i18n-update-pull workflow to avoid embedding unsanitized PR titles into a JavaScript execution context; replace the title interpolation with a safe method or escape the input.", "Restrict the CI bot token\u2019s permissions by revoking unnecessary scopes and enabling strict branch protection rules and mandatory pull request reviews before merges."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is LiveCodes (live-codes:livecodes). All releases that include the i18n\u2011update\u2011pull workflow before commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 contain the vulnerability. Upgrades to or later than that commit contain the fix.", "description_and_impact": "LiveCodes\u2019 i18n-update-pull GitHub Actions workflow injects the pull request title into a JavaScript block that runs under the CI bot token. This flaw allows an attacker to craft a PR title that contains arbitrary JavaScript, enabling the attacker to execute code with the privileges of the CI bot. The attacker can exfiltrate repository secrets, modify code, or perform unauthorized GitHub API operations, compromising confidentiality, integrity, and potentially availability of the affected repositories. The underlying weakness is described by CWE\u201194, highlighting improper handling of untrusted input in code generation contexts.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity, but the EPSS score of less than 1\u202f% suggests that exploitation is currently unlikely. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to open a pull request; the attack vector is remote via GitHub\u2019s web interface or API. If exploited, the attacker can leverage the CI bot\u2019s token to gain full control over the repository, posing significant risk to any organization using the default workflow configuration."}}}}, "created": "2026-02-26T13:15:58.088936+00:00", "updated": "2026-04-17T15:15:21.859467+00:00", "vendors": ["live-codes", "live-codes$PRODUCT$livecodes"]}