CVE-2026-27627 - Vulnerability Analysis
HighCVSS: 8.2Last Updated: February 25, 2026
Karakeep - Stored XSS
Overview
Karakeep 0.30.0 contains a stored XSS caused by unfiltered Reddit metascraper plugin HTML content used directly in the reader view, letting attackers execute malicious scripts in users' browsers, exploit requires malicious Reddit content.
Severity & Score
Impact
Attackers can execute arbitrary scripts in users' browsers, leading to session hijacking or data theft.
Mitigation
Update to version 0.31.0 or later.
References
Social Media Activity(2 posts)
š CVE-2026-27627 - High (8.2) Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source ... š https://www.thehackerwire.com/vulnerability/CVE-2026-27627/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postš CVE-2026-27627 - High (8.2) Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source ... š https://www.thehackerwire.com/vulnerability/CVE-2026-27627/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-27627
- Severity
- High
- CVSS Score
- 8.2
- Type
- stored_xss
- Status
- unconfirmed
- EPSS
- 3.1%
- Social Posts
- 2
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N