CVE-2026-35208
Received Received - Intake
Server-Side HTML Injection in Lichess Streamer Feature

Publication date: 2026-04-06

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is still a server-side HTML injection sink. To trigger this, a Lichess account only needs to satisfy the normal streamer requirements and get approved. Per Streamer.canApply, that means an account older than 2 days with at least 15 games, or a verified/titled account. After moderator approval, once the streamer goes live, Lichess pulls the platform title and renders it into the UI as-is. No extra privileges are needed beyond a normal approved streamer profile. This vulnerability is fixed with commit 0d5002696ae705e1888bf77de107c73de57bb1b3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35208
EUVD
EUVD-2026-19476
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lichess lila to 2026-03-31 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in lichess.org, an open source chess server. Approved streamers can inject arbitrary HTML into the /streamer page and the homepage's "Live streams" widget by placing markup in their Twitch or YouTube stream title. Although a Content Security Policy (CSP) is in place that blocks inline script execution, the vulnerability is a server-side HTML injection sink, meaning the server renders the injected HTML as-is. To exploit this, an attacker only needs a Lichess account that meets normal streamer requirements and gets approved by a moderator. Once approved and live, the platform title is pulled and rendered directly into the UI without sanitization or extra privileges.

Impact Analysis

This vulnerability allows an approved streamer to inject arbitrary HTML into the Lichess UI, which could lead to various impacts such as UI manipulation, phishing attempts, or misleading content being displayed to users. Although inline scripts are blocked by CSP, the injected HTML could still affect the user experience or potentially be used in combination with other vulnerabilities to escalate impact.

Mitigation Strategies

The vulnerability is fixed with commit 0d5002696ae705e1888bf77de107c73de57bb1b3. Immediate mitigation involves updating the Lichess server to include this fix.

Additionally, restricting or reviewing streamer approvals to ensure only trusted accounts can inject content may reduce risk until the fix is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart