CVE-2026-27020
Received Received - Intake
Cross-Site Scripting in Photobooth User Input Fields Prior to

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
Photobooth prior to 1.0.1 has a cross-site scripting (XSS) vulnerability in user input fields. Malicious users could inject scripts through unvalidated form inputs. This vulnerability is fixed in 1.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27020
EUVD
EUVD-2026-7791
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lukas12000 photobooth to 1.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27020 is a Cross-Site Scripting (XSS) vulnerability found in the npm package "photobooth" versions prior to 1.0.1.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because user input fields are not properly neutralized or sanitized, allowing malicious users to inject scripts through unvalidated form inputs.'}, {'type': 'paragraph', 'content': 'This issue is classified under CWE-79, which relates to improper neutralization of input during web page generation.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 1.0.1 by implementing input sanitization to prevent script injection.'}] [1]

Impact Analysis

This XSS vulnerability can allow attackers to inject malicious scripts into the application through user input fields.

Such script injections can lead to unauthorized actions performed on behalf of users, theft of sensitive information like cookies or session tokens, or manipulation of the web page content.

The overall severity of this vulnerability is rated as low, but it still poses a risk to the security and integrity of the application and its users.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by testing the photobooth application for cross-site scripting (XSS) issues in user input fields. Specifically, you can attempt to inject common XSS payloads into form inputs and observe if the scripts are executed or reflected without proper sanitization.

There are no specific commands provided in the resources, but general approaches include using web vulnerability scanners or manual testing with payloads such as <script>alert(1)</script> in input fields.

Additionally, monitoring HTTP requests and responses for suspicious script injections using tools like curl, Burp Suite, or OWASP ZAP can help detect exploitation attempts.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the photobooth package to version 1.0.1 or later, where the issue has been fixed by implementing input sanitization.

As a workaround before upgrading, manually sanitize all user inputs to prevent script injection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27020. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart