Is there a patch available for EUVD-2026-19476?

Yes, a patch is available for EUVD-2026-19476. Update the affected software to the latest version immediately.

Lila EUVD-2026-19476

Q: What is the CVSS score of EUVD-2026-19476?

EUVD-2026-19476 has a CVSS 4.0 base score of 5.3 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2026-35208 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-06 GitHub_M

XSS Lila

5.3

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

0d5002696ae705e1888bf77de107c73de57bb1b3

EUVD ID Assigned

Apr 06, 2026 - 21:00 euvd

EUVD-2026-19476

Analysis Generated

Apr 06, 2026 - 21:00 vuln.today

CVE Published

Apr 06, 2026 - 20:06 nvd

MEDIUM 5.3

DescriptionGitHub Advisory

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is still a server-side HTML injection sink. To trigger this, a Lichess account only needs to satisfy the normal streamer requirements and get approved. Per Streamer.canApply, that means an account older than 2 days with at least 15 games, or a verified/titled account. After moderator approval, once the streamer goes live, Lichess pulls the platform title and renders it into the UI as-is. No extra privileges are needed beyond a normal approved streamer profile. This vulnerability is fixed with commit 0d5002696ae705e1888bf77de107c73de57bb1b3.

AnalysisAI

Stored HTML injection in lichess.org allows approved streamers to inject arbitrary markup into the /streamer page and homepage 'Live streams' widget via their Twitch or YouTube stream title, enabling defacement and phishing attacks. The vulnerability requires an attacker to first obtain an approved streamer account (accounts older than 2 days with 15+ games, or verified accounts) and then moderate approval, but no additional privileges or authentication beyond that approval is needed. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents moderate real-world risk despite the 5.3 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker creates a Lichess account and waits 2+ days, then plays 15+ games to satisfy the streamer approval threshold. They apply for streamer status and receive moderator approval. …
Remediation	Immediately update Lila to a version that includes commit 0d5002696ae705e1888bf77de107c73de57bb1b3 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-19476 vulnerability details – vuln.today

Back