FKIE_CVE-2026-27469

Vulnerability from fkie_nvd - Published: 2026-02-21 08:16 - Updated: 2026-02-23 18:13
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Isso is a lightweight commenting server written in Python and JavaScript. In commits before 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, there is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick). The same escaping is missing entirely from the user-facing comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id//edit/). This issue has been patched in commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144. To workaround, nabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, raising the bar for exploitation, but it does not fully mitigate the issue since a moderator activating a malicious comment would still expose visitors.
References
security-advisories@github.comhttps://docs.python.org/3/library/html.html#html.escape
security-advisories@github.comhttps://github.com/isso-comments/isso/commit/0afbfe0691ee237963e8fb0b2ee01c9e55ca2144
security-advisories@github.comhttps://github.com/isso-comments/isso/security/advisories/GHSA-9fww-8cpr-q66r
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Isso is a lightweight commenting server written in Python and JavaScript. In commits before 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, there is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick). The same escaping is missing entirely from the user-facing comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id//edit/). This issue has been patched in commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144. To workaround, nabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, raising the bar for exploitation, but it does not fully mitigate the issue since a moderator activating a malicious comment would still expose visitors."
    },
    {
      "lang": "es",
      "value": "Isso es un servidor de comentarios ligero escrito en Python y JavaScript. En commits anteriores a 0afbfe0691ee237963e3fb0b2ee01c9e55ca2144, existe una vulnerabilidad de cross-site scripting (XSS) almacenado que afecta los campos de sitio web y de comentario del autor. El campo del sitio web fue escapado en HTML usando quote=False, lo que dej\u00f3 las comillas simples y dobles sin escapar. Dado que el frontend inserta el valor del sitio web directamente en un atributo href entre comillas simples mediante concatenaci\u00f3n de cadenas, una comilla simple en la URL rompe el contexto del atributo, permitiendo la inyecci\u00f3n de manejadores de eventos arbitrarios (p. ej. onmouseover, onclick). El mismo escape est\u00e1 completamente ausente del endpoint de edici\u00f3n de comentarios para el usuario (PUT /id/) y del endpoint de edici\u00f3n de moderaci\u00f3n (POST /id//edit/). Este problema ha sido parcheado en el commit 0afbfe0691ee237963e3fb0b2ee01c9e55ca2144. Como soluci\u00f3n alternativa, habilitar la moderaci\u00f3n de comentarios (moderation = enabled = true en isso.cfg) evita que los usuarios no autenticados publiquen comentarios, elevando la dificultad para la explotaci\u00f3n, pero no mitiga completamente el problema ya que un moderador que active un comentario malicioso a\u00fan expondr\u00eda a los visitantes."
    }
  ],
  "id": "CVE-2026-27469",
  "lastModified": "2026-02-23T18:13:53.397",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-21T08:16:11.993",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://docs.python.org/3/library/html.html#html.escape"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/isso-comments/isso/commit/0afbfe0691ee237963e8fb0b2ee01c9e55ca2144"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/isso-comments/isso/security/advisories/GHSA-9fww-8cpr-q66r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        },
        {
          "lang": "en",
          "value": "CWE-116"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.