How serious is CVE-2026-27469?

This vulnerability has a CVSS score of 6.1 out of 10, classified as MEDIUM severity. No public exploit code has been identified yet.

Which products are affected by CVE-2026-27469?

Check the official CVE details for a complete list of affected products and versions.

How do I fix CVE-2026-27469?

To remediate CVE-2026-27469, check for security patches from the vendor. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-27469

Medium

|6.1

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker to inject malicious scripts into comments on a website, which can execute harmful actions when other users interact with those comments. It primarily affects sites using an older version of the Isso commenting server, and while enabling comment moderation can help reduce risk, it doesn't completely eliminate the threat if a moderator approves a harmful comment.

Technical Description

Isso is a lightweight commenting server written in Python and JavaScript. In commits before 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, there is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick). The same escaping is missing entirely from the user-facing comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id//edit/). This issue has been patched in commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144. To workaround, nabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, raising the bar for exploitation, but it does not fully mitigate the issue since a moderator activating a malicious comment would still expose visitors.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionRequired

Confidentiality ImpactLow

Integrity ImpactLow

Availability ImpactNone

ScopeChanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$862($500-$1K)

Vendor Response

Grade APatched in 2 days

Quick Information

Published

Feb 21, 2026

about 2 months ago

Last Modified

Feb 23, 2026

about 1 month ago