CVE-2026-27627
Received Received - Intake
Cross-Site Scripting in Karakeep Reddit Metascraper Plugin

Publication date: 2026-02-25

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify, but the Reddit path skips both. Since this content ends up in `dangerouslySetInnerHTML` in the reader view, any malicious HTML in the Reddit response gets executed in the user's browser. Version 0.31.0 contains a patch for this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27627
EUVD
EUVD-2026-8614
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
localhostlabs karakeep 0.30.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27627 is a stored Cross-Site Scripting (XSS) vulnerability in the Karakeep application caused by the Reddit metascraper plugin bypassing the usual HTML sanitization process.'}, {'type': 'paragraph', 'content': "Specifically, when the Reddit plugin returns HTML content in the field `readableContentHtml` (derived from Reddit posts' `selftext_html`), this content is used directly without being sanitized by DOMPurify, unlike other content sources that go through Readability and DOMPurify sanitization."}, {'type': 'paragraph', 'content': "Because this unsanitized HTML is rendered in the browser using React's `dangerouslySetInnerHTML` without Content-Security-Policy protections, any malicious scripts embedded in the Reddit content execute in the user's browser."}, {'type': 'paragraph', 'content': "An attacker can exploit this by injecting malicious HTML or JavaScript into a Reddit post's content, which then gets stored in Karakeep's database and executes whenever the victim views the bookmark."}, {'type': 'paragraph', 'content': 'This vulnerability was fixed in Karakeep version 0.31.0 by introducing DOMPurify sanitization for the Reddit metascraper plugin output.'}] [1, 2, 3]

Impact Analysis

This vulnerability allows attackers to execute stored Cross-Site Scripting (XSS) attacks within the Karakeep application context.

  • Attackers can steal session cookies and JWT tokens, potentially hijacking user sessions.
  • They can read all victim bookmarks, lists, and API keys stored in the application.
  • Attackers may perform actions on behalf of the victim, such as creating or deleting bookmarks and changing user settings.
  • If an administrator views a malicious bookmark, privilege escalation is possible.
  • The malicious payload persists in the database and triggers every time the affected bookmark is opened in reader view.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unsanitized HTML content from the Reddit metascraper plugin being stored and executed in the Karakeep application. Detection involves identifying if any bookmarks contain unsanitized Reddit content that could execute malicious scripts.'}, {'type': 'paragraph', 'content': 'One approach is to inspect the stored bookmark data for HTML content originating from Reddit posts, specifically looking for suspicious or unexpected script tags or event handlers such as onerror attributes within the `selftext_html` field.'}, {'type': 'paragraph', 'content': 'Since the vulnerability manifests as stored Cross-Site Scripting (XSS), you can search the database or exported bookmark data for suspicious HTML patterns.'}, {'type': 'list_item', 'content': "Use grep or similar tools to search for suspicious HTML in bookmark data files or database exports, e.g., `grep -i -r '<script' /path/to/bookmarks` or `grep -i -r 'onerror' /path/to/bookmarks`."}, {'type': 'list_item', 'content': "If you have access to the database, run queries to find bookmarks where the HTML content contains potentially dangerous tags or attributes, for example: `SELECT * FROM bookmarkLinks WHERE htmlContent LIKE '%<script%' OR htmlContent LIKE '%onerror=%';`"}, {'type': 'paragraph', 'content': 'Additionally, monitoring network traffic for suspicious requests triggered by malicious scripts (such as unexpected calls to external attacker domains) when users open bookmarks could help detect exploitation.'}] [3]

Mitigation Strategies

The primary mitigation is to upgrade the Karakeep application to version 0.31.0 or later, which includes a patch that sanitizes the Reddit metascraper plugin output using DOMPurify, preventing malicious HTML from being executed.

Until the upgrade is applied, avoid opening bookmarks sourced from Reddit posts that might contain unsanitized HTML content, as this could trigger the stored XSS.

If possible, review and sanitize existing stored bookmark data to remove malicious HTML content manually or via scripts that apply DOMPurify or similar sanitization.

Consider implementing Content-Security-Policy (CSP) headers in the application to restrict script execution and mitigate the impact of any injected scripts.

Monitor and audit user activity and logs for suspicious behavior that could indicate exploitation of this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27627. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart