Repostat Vulnerable to Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard
Description
Repostat is a React component to fetch and display GitHub repository info. Prior to version 1.0.1, the RepoCard component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occurs because the component uses React's dangerouslySetInnerHTML to render the repository name (repo prop) during the loading state without any sanitization. If a developer using this package passes unvalidated user input directly into the repo prop (for example, reading it from a URL query parameter), an attacker can execute arbitrary JavaScript in the context of the user's browser. In version 1.0.1, the use of dangerouslySetInnerHTML has been removed, and the repo prop is now safely rendered using standard React JSX data binding, which automatically escapes HTML entities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Repostat's RepoCard component before v1.0.1 uses dangerouslySetInnerHTML to render the repo prop, enabling reflected XSS if unsanitized input is passed.
Vulnerability
Overview
Repostat is a React component that fetches and displays GitHub repository info. Prior to version 1.0.1, the RepoCard component is vulnerable to Reflected Cross-Site Scripting (XSS). The root cause is the use of React's dangerouslySetInnerHTML to render the repository name (repo prop) during the loading state without any sanitization [1][3]. This means that if a developer passes unvalidated user input directly into the repo prop—for example, reading it from a URL query parameter—an attacker can inject arbitrary HTML and JavaScript [3].
Exploitation
An attacker can craft a malicious URL that includes a repo query parameter containing a JavaScript payload. When a user visits that URL and the application uses Repostat's RepoCard component with the unsanitized parameter, the payload is rendered via dangerouslySetInnerHTML and executed in the user's browser [3]. The attack requires no authentication beyond the user's session, and the developer must have configured the component to accept user-controlled input for the repo prop [1][3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, data theft, defacement, or other malicious actions that the user's browser can perform [1][3]. The severity is reflected in the CVSS score, which indicates a medium-to-high risk depending on the application's context.
Mitigation
The vulnerability is fixed in Repostat version 1.0.1. The fix removes the use of dangerouslySetInnerHTML and instead renders the repo prop using standard React JSX data binding, which automatically escapes HTML entities [1][4]. Users should update to version 1.0.1 or later. Developers should also ensure that any user-supplied input passed to the repo prop is validated or sanitized before use [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
repostatnpm | < 1.0.1 | 1.0.1 |
Affected products
1- denpiligrim/repostatv5Range: < 1.0.1
Patches
1715df5f73359Fix XSS vulnerability in RepoCard component
2 files changed · +8 −8
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "repostat", - "version": "1.0.0", + "version": "1.0.1", "description": "A simple React component to fetch and display GitHub repository info", "repository": { "type": "git",
src/RepoCard.tsx+7 −7 modified@@ -52,13 +52,13 @@ export const RepoCard: React.FC<RepoCardProps> = ({ repo, token }) => { backgroundColor: '#fff' }; - if (loading) { - return ( - <div style={cardStyle} dangerouslySetInnerHTML={{ - __html: `Loading data for: <strong>${repo}</strong>...` - }} /> - ); - } +if (loading) { + return ( + <div style={cardStyle}> + Loading data for: <strong>{repo}</strong>... + </div> + ); +} if (error) { return <div style={{ ...cardStyle, color: 'red' }}>Error: {error}</div>;
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
4- github.com/advisories/GHSA-fm8c-6m29-rp6jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27612ghsaADVISORY
- github.com/denpiligrim/repostat/commit/715df5f73359d222fd7876e948d14290180e3c88ghsax_refsource_MISCWEB
- github.com/denpiligrim/repostat/security/advisories/GHSA-fm8c-6m29-rp6jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.