What is the CVSS score of CVE-2026-27612?

CVE-2026-27612 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Github are affected by CVE-2026-27612?

Organizations using Repostat should be aware of moderate risk from CVE-2026-27612, a cross-site scripting vulnerability rated CVSS 6.1.. A patch is available.

Is there a public PoC exploit available for CVE-2026-27612?

Yes, a public proof-of-concept exploit is available for CVE-2026-27612. Prioritise patching immediately. EPSS: 0.0%.

Github CVE-2026-27612

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-02-25 security-advisories@github.com

GHSA-fm8c-6m29-rp6j

XSS Github React Repostat

6.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 27, 2026 - 19:08 vuln.today

Public exploit code

Patch released

Feb 27, 2026 - 19:08 nvd

Patch available

CVE Published

Feb 25, 2026 - 03:16 nvd

MEDIUM 6.1

DescriptionNVD

Repostat is a React component to fetch and display GitHub repository info. Prior to version 1.0.1, the RepoCard component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occurs because the component uses React's dangerouslySetInnerHTML to render the repository name (repo prop) during the loading state without any sanitization. If a developer using this package passes unvalidated user input directly into the repo prop (for example, reading it from a URL query parameter), an attacker can execute arbitrary JavaScript in the context of the user's browser. In version 1.0.1, the use of dangerouslySetInnerHTML has been removed, and the repo prop is now safely rendered using standard React JSX data binding, which automatically escapes HTML entities.

AnalysisAI

Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaScript in users' browsers when developers pass unsanitized input from URL parameters or other sources to the repo prop. The vulnerability stems from unsafe use of dangerouslySetInnerHTML without input validation, and public exploit code exists. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-27612 vulnerability details – vuln.today

Back