{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35208", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T18:48:58.937Z", "datePublished": "2026-04-06T20:06:25.821Z", "dateUpdated": "2026-04-07T15:09:55.304Z"}, "containers": {"cna": {"title": "lichess.org has an Unsanitized Stream Title Injection on /streamer", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/lichess-org/lila/security/advisories/GHSA-v7gh-939r-pfjq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lichess-org/lila/security/advisories/GHSA-v7gh-939r-pfjq"}, {"name": "https://github.com/lichess-org/lila/commit/0d5002696ae705e1888bf77de107c73de57bb1b3", "tags": ["x_refsource_MISC"], "url": "https://github.com/lichess-org/lila/commit/0d5002696ae705e1888bf77de107c73de57bb1b3"}, {"name": "https://vimeo.com/1175908262", "tags": ["x_refsource_MISC"], "url": "https://vimeo.com/1175908262"}], "affected": [{"vendor": "lichess-org", "product": "lila", "versions": [{"version": "< 0d5002696ae705e1888bf77de107c73de57bb1b3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:06:25.821Z"}, "descriptions": [{"lang": "en", "value": "lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage \u201cLive streams\u201d widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is still a server-side HTML injection sink. To trigger this, a Lichess account only needs to satisfy the normal streamer requirements and get approved. Per Streamer.canApply, that means an account older than 2 days with at least 15 games, or a verified/titled account. After moderator approval, once the streamer goes live, Lichess pulls the platform title and renders it into the UI as-is. No extra privileges are needed beyond a normal approved streamer profile. This vulnerability is fixed with commit 0d5002696ae705e1888bf77de107c73de57bb1b3."}], "source": {"advisory": "GHSA-v7gh-939r-pfjq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:55:58.549189Z", "id": "CVE-2026-35208", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:09:55.304Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35208", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T14:55:58.549189Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:56:03.052Z"}}], "cna": {"title": "lichess.org has an Unsanitized Stream Title Injection on /streamer", "source": {"advisory": "GHSA-v7gh-939r-pfjq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "lichess-org", "product": "lila", "versions": [{"status": "affected", "version": "< 0d5002696ae705e1888bf77de107c73de57bb1b3"}]}], "references": [{"url": "https://github.com/lichess-org/lila/security/advisories/GHSA-v7gh-939r-pfjq", "name": "https://github.com/lichess-org/lila/security/advisories/GHSA-v7gh-939r-pfjq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/lichess-org/lila/commit/0d5002696ae705e1888bf77de107c73de57bb1b3", "name": "https://github.com/lichess-org/lila/commit/0d5002696ae705e1888bf77de107c73de57bb1b3", "tags": ["x_refsource_MISC"]}, {"url": "https://vimeo.com/1175908262", "name": "https://vimeo.com/1175908262", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage \u201cLive streams\u201d widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is still a server-side HTML injection sink. To trigger this, a Lichess account only needs to satisfy the normal streamer requirements and get approved. Per Streamer.canApply, that means an account older than 2 days with at least 15 games, or a verified/titled account. After moderator approval, once the streamer goes live, Lichess pulls the platform title and renders it into the UI as-is. No extra privileges are needed beyond a normal approved streamer profile. This vulnerability is fixed with commit 0d5002696ae705e1888bf77de107c73de57bb1b3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T20:06:25.821Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35208", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:09:55.304Z", "dateReserved": "2026-04-01T18:48:58.937Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T20:06:25.821Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lichess:lila:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9D5C218-3446-4056-881F-89DBF44EA3C9", "versionEndExcluding": "2026-03-31", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage \u201cLive streams\u201d widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is still a server-side HTML injection sink. To trigger this, a Lichess account only needs to satisfy the normal streamer requirements and get approved. Per Streamer.canApply, that means an account older than 2 days with at least 15 games, or a verified/titled account. After moderator approval, once the streamer goes live, Lichess pulls the platform title and renders it into the UI as-is. No extra privileges are needed beyond a normal approved streamer profile. This vulnerability is fixed with commit 0d5002696ae705e1888bf77de107c73de57bb1b3."}], "id": "CVE-2026-35208", "lastModified": "2026-04-16T04:23:23.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T21:16:20.273", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/lichess-org/lila/commit/0d5002696ae705e1888bf77de107c73de57bb1b3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/lichess-org/lila/security/advisories/GHSA-v7gh-939r-pfjq"}, {"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://vimeo.com/1175908262"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,0d5002696ae705e1888bf77de107c73de57bb1b3)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "lila", "source": "cna", "vendor": "lichess-org"}, "product": "lila", "vendor": "lichess"}], "analysis": {"en": {"generated_at": "2026-04-07T02:50:56.940879+00:00", "value": {"mitigation_remediation": ["Apply the patch that updates Lila to commit 0d5002696ae705e1888bf77de107c73de57bb1b3, which sanitises stream titles before rendering."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011side injection of arbitrary HTML from stream titles"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Lila application used by lichess.org. Any account that meets the standard streamer prerequisites\u2014older than two days with at least fifteen games, or a verified or titled account\u2014can enable the injection once the account is approved by a moderator and the streamer starts a live session. The flaw applies to all releases before the patch commit 0d5002696ae705e1888bf77de107c73de57bb1b3.", "description_and_impact": "Lichess.org renders third\u2011party stream titles directly into the page without sanitisation, creating a data sink that can be abused for cross\u2011site scripting. The flaw is a server\u2011side injection weakness (CWE\u2011116) and also an XSS vulnerability (CWE\u201179). A streamer with a normal approved account can craft a stream title containing malicious markup; that title then appears unchanged on the streamer page and in the home\u2011page live\u2011streams widget, exposing visitors to unintended content.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. No EPSS data is available, and the issue is not listed in CISA\u2019s KEV catalog. Exploitation requires only the normal permission to be an approved streamer. The attacker\u2019s payload is a stream title, so no extra system privileges are needed; the impact is confined to users who view the streamer page or the live\u2011streams widget, but the injected content can prompt phishing or other client\u2011side abuses."}}}}, "created": "2026-04-07T06:54:16.844620+00:00", "updated": "2026-04-07T09:37:18.102907+00:00", "vendors": ["lichess", "lichess$PRODUCT$lila"]}