CVE-2026-27469
Received Received - Intake
Stored XSS in Isso Comment and Website Fields Allows Injection

Publication date: 2026-02-21

Last updated on: 2026-02-21

Assigner: GitHub, Inc.

Description
Isso is a lightweight commenting server written in Python and JavaScript. In commits before 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, there is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick). The same escaping is missing entirely from the user-facing comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id//edit/). This issue has been patched in commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144. To workaround, nabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, raising the bar for exploitation, but it does not fully mitigate the issue since a moderator activating a malicious comment would still expose visitors.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-21
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27469
EUVD
EUVD-2026-7721
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
isso_comments isso to 0.13.2 (exc)
isso_comments isso From 0.13.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27469 is a stored Cross-Site Scripting (XSS) vulnerability in the isso commenting system affecting the website and author comment fields.

The vulnerability arises because the website field was HTML-escaped with quote=false, leaving single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, an attacker can inject a single quote to break out of the attribute context and insert arbitrary event handlers like onmouseover or onclick.

Additionally, the user-facing comment edit endpoint and the moderation edit endpoint lacked proper escaping entirely, making them vulnerable as well.

This allows an attacker to post malicious comments that persist in the database and execute scripts when other users view the comments.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript in the context of users visiting the affected website.

An attacker can inject malicious event handlers that trigger when users interact with the comment, potentially stealing sensitive information, hijacking user sessions, or performing actions on behalf of the user.

Since exploitation requires no authentication and minimal user interaction, it poses a moderate risk.

Enabling comment moderation can reduce the risk by preventing unauthenticated users from posting comments, but it does not fully mitigate the issue because a moderator could still activate a malicious comment.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is a stored Cross-Site Scripting (XSS) issue affecting the website and author comment fields in the isso commenting system. Detection involves identifying if unescaped single quotes are present in the website field or if malicious event handlers (e.g., onmouseover, onclick) are injected in comments.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of this vulnerability, you can inspect HTTP requests and responses involving comment submissions and edits, especially the fields "website" and "author".'}, {'type': 'paragraph', 'content': 'Suggested commands include using tools like curl or wget to fetch comment data and grep or similar tools to search for suspicious payloads. For example:'}, {'type': 'list_item', 'content': 'curl -s http://your-website/comments | grep -E "onmouseover|onclick|<script>"'}, {'type': 'list_item', 'content': "curl -X PUT http://your-website/id/ -d 'website=javascript:alert(1)' -v"}, {'type': 'list_item', 'content': 'Use a web proxy or scanner (e.g., OWASP ZAP, Burp Suite) to intercept and analyze comment submission requests for unescaped quotes or injected event handlers.'}] [3, 2]

Mitigation Strategies

The vulnerability has been patched in commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144 and version 0.13.2 of isso. Applying this update is the primary mitigation step.

As an immediate workaround before patching, enable comment moderation by setting moderation = enabled = true in the isso configuration file (isso.cfg). This prevents unauthenticated users from publishing comments, raising the difficulty of exploitation.

Note that enabling moderation does not fully mitigate the issue since a moderator could still activate a malicious comment.

  • Update isso to version 0.13.2 or later where the fix is applied.
  • Enable comment moderation in isso.cfg by setting moderation = enabled = true.
  • Review and sanitize existing comments to remove any potentially malicious payloads.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27469. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart