FKIE_CVE-2026-27627

Vulnerability from fkie_nvd - Published: 2026-02-25 04:16 - Updated: 2026-03-10 18:51
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify, but the Reddit path skips both. Since this content ends up in `dangerouslySetInnerHTML` in the reader view, any malicious HTML in the Reddit response gets executed in the user's browser. Version 0.31.0 contains a patch for this issue.
References
security-advisories@github.comhttps://github.com/karakeep-app/karakeep/commit/ba3db953c0d8675e2e3ecc29113a332b570b2cb9Patch
security-advisories@github.comhttps://github.com/karakeep-app/karakeep/releases/tag/v0.31.0Product, Release Notes
security-advisories@github.comhttps://github.com/karakeep-app/karakeep/security/advisories/GHSA-mg93-f9mw-wpgjExploit, Vendor Advisory
Impacted products
Vendor Product Version
localhostlabs karakeep 0.30.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:localhostlabs:karakeep:0.30.0:*:*:*:*:-:*:*",
              "matchCriteriaId": "004A66CE-C6A3-44FD-BAA3-A73F3DE8E85D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify, but the Reddit path skips both. Since this content ends up in `dangerouslySetInnerHTML` in the reader view, any malicious HTML in the Reddit response gets executed in the user\u0027s browser. Version 0.31.0 contains a patch for this issue."
    },
    {
      "lang": "es",
      "value": "Karakeep es una aplicaci\u00f3n autohospedable para marcar (bookmark) todo. En la versi\u00f3n 0.30.0, cuando el plugin metascraper de Reddit devuelve \u0027readableContentHtml\u0027, el subproceso de an\u00e1lisis HTML lo utiliza directamente sin pasarlo por DOMPurify. Cada fuente de contenido diferente en el rastreador pasa por Readability + DOMPurify, pero la ruta de Reddit omite ambos. Dado que este contenido termina en \u0027dangerouslySetInnerHTML\u0027 en la vista de lectura, cualquier HTML malicioso en la respuesta de Reddit se ejecuta en el navegador del usuario. La versi\u00f3n 0.31.0 contiene un parche para este problema."
    }
  ],
  "id": "CVE-2026-27627",
  "lastModified": "2026-03-10T18:51:43.750",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-25T04:16:03.757",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/karakeep-app/karakeep/commit/ba3db953c0d8675e2e3ecc29113a332b570b2cb9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/karakeep-app/karakeep/releases/tag/v0.31.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/karakeep-app/karakeep/security/advisories/GHSA-mg93-f9mw-wpgj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.