What is the CVSS score of CVE-2026-27627?

CVE-2026-27627 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Karakeep are affected by CVE-2026-27627?

Karakeep versions 0.30.0 contain a cross-site scripting (XSS) vulnerability in the Reddit metascraper plugin that allows attackers to inject malicious code through improperly sanitized HTML content.. A patch is available.

Is there a public PoC exploit available for CVE-2026-27627?

Yes, a public proof-of-concept exploit is available for CVE-2026-27627. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-27627?

Within 24 hours: Identify all instances of Karakeep 0.30.0 in your environment and assess whether the Reddit metascraper plugin is enabled. Within 7 days: Apply the available patch to all affected Karakeep installations or disable the Reddit metascraper plugin if patching is not immediately feasible. Within 30 days: Conduct a security audit of Karakeep deployments, review access logs for suspicious activity, and implement Web Application Firewall rules to detect XSS attempts if patch deployment is delayed.

Karakeep CVE-2026-27627

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-02-25 security-advisories@github.com

XSS Karakeep

8.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.2 HIGH

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 10, 2026 - 18:51 vuln.today

Public exploit code

Patch released

Mar 10, 2026 - 18:51 nvd

Patch available

CVE Published

Feb 25, 2026 - 04:16 nvd

HIGH 8.2

DescriptionGitHub Advisory

Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns readableContentHtml, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify, but the Reddit path skips both. Since this content ends up in dangerouslySetInnerHTML in the reader view, any malicious HTML in the Reddit response gets executed in the user's browser. Version 0.31.0 contains a patch for this issue.

AnalysisAI

Stored cross-site scripting in Karakeep 0.30.0 allows remote attackers to execute arbitrary JavaScript in users' browsers by injecting malicious HTML through the Reddit metascraper plugin, which bypasses sanitization that is applied to other content sources. The vulnerability exists because the Reddit plugin's HTML output is rendered directly via dangerouslySetInnerHTML without DOMPurify filtering, and public exploit code is available. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker crafts malicious HTML in Reddit post

Exploit

Karakeep Reddit metascraper plugin fetches content

Execution

HTML parsed without DOMPurify sanitization

Impact

Malicious script executes in user browser via dangerouslySetInnerHTML