CVE-2026-27020
Cross-Site Scripting in Photobooth User Input Fields Prior to
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lukas12000 | photobooth | to 1.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27020 is a Cross-Site Scripting (XSS) vulnerability found in the npm package "photobooth" versions prior to 1.0.1.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because user input fields are not properly neutralized or sanitized, allowing malicious users to inject scripts through unvalidated form inputs.'}, {'type': 'paragraph', 'content': 'This issue is classified under CWE-79, which relates to improper neutralization of input during web page generation.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 1.0.1 by implementing input sanitization to prevent script injection.'}] [1]
How can this vulnerability impact me? :
This XSS vulnerability can allow attackers to inject malicious scripts into the application through user input fields.
Such script injections can lead to unauthorized actions performed on behalf of users, theft of sensitive information like cookies or session tokens, or manipulation of the web page content.
The overall severity of this vulnerability is rated as low, but it still poses a risk to the security and integrity of the application and its users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the photobooth application for cross-site scripting (XSS) issues in user input fields. Specifically, you can attempt to inject common XSS payloads into form inputs and observe if the scripts are executed or reflected without proper sanitization.
There are no specific commands provided in the resources, but general approaches include using web vulnerability scanners or manual testing with payloads such as <script>alert(1)</script> in input fields.
Additionally, monitoring HTTP requests and responses for suspicious script injections using tools like curl, Burp Suite, or OWASP ZAP can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the photobooth package to version 1.0.1 or later, where the issue has been fixed by implementing input sanitization.
As a workaround before upgrading, manually sanitize all user inputs to prevent script injection.