CVE-2026-27469
Description
Isso is a lightweight commenting server written in Python and JavaScript. In commits before 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, there is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick). The same escaping is missing entirely from the user-facing comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id//edit/). This issue has been patched in commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144. To workaround, nabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, raising the bar for exploitation, but it does not fully mitigate the issue since a moderator activating a malicious comment would still expose visitors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
issoPyPI | < 0.13.2 | 0.13.2 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-9fww-8cpr-q66rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27469ghsaADVISORY
- docs.python.org/3/library/html.htmlnvdWEB
- github.com/isso-comments/isso/commit/0afbfe0691ee237963e8fb0b2ee01c9e55ca2144nvdWEB
- github.com/isso-comments/isso/security/advisories/GHSA-9fww-8cpr-q66rnvdWEB
News mentions
0No linked articles in our index yet.