Lila
Monthly
Stored HTML injection in lichess.org allows approved streamers to inject arbitrary markup into the /streamer page and homepage 'Live streams' widget via their Twitch or YouTube stream title, enabling defacement and phishing attacks. The vulnerability requires an attacker to first obtain an approved streamer account (accounts older than 2 days with 15+ games, or verified accounts) and then moderate approval, but no additional privileges or authentication beyond that approval is needed. Content Security Policy blocks inline script execution, limiting the immediate scope to HTML/CSS-based attacks rather than arbitrary JavaScript execution. A upstream fix is available via commit 0d5002696ae705e1888bf77de107c73de57bb1b3, and no public exploit code or active exploitation has been reported.
Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c (2025-06-02) contains a Server-Side Request Forgery (SSRF) vulnerability in the game export API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stored HTML injection in lichess.org allows approved streamers to inject arbitrary markup into the /streamer page and homepage 'Live streams' widget via their Twitch or YouTube stream title, enabling defacement and phishing attacks. The vulnerability requires an attacker to first obtain an approved streamer account (accounts older than 2 days with 15+ games, or verified accounts) and then moderate approval, but no additional privileges or authentication beyond that approval is needed. Content Security Policy blocks inline script execution, limiting the immediate scope to HTML/CSS-based attacks rather than arbitrary JavaScript execution. A upstream fix is available via commit 0d5002696ae705e1888bf77de107c73de57bb1b3, and no public exploit code or active exploitation has been reported.
Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c (2025-06-02) contains a Server-Side Request Forgery (SSRF) vulnerability in the game export API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.