CVE-2026-27627
Published: 25 February 2026
Summary
CVE-2026-27627 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Localhostlabs Karakeep. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of HTML inputs from external sources like Reddit before processing, directly preventing unsanitized content from reaching dangerouslySetInnerHTML.
Mandates filtering of information outputs to block malicious HTML/JS execution in the reader view, addressing the bypassed DOMPurify step.
Implements controls to confine or prevent execution of mobile code (malicious scripts) from external Reddit responses in the browser context.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS enables direct execution of attacker-controlled JavaScript in the browser context (T1059.007) and subsequent theft of session cookies/tokens via exfiltration (T1539).
NVD Description
Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify,…
more
but the Reddit path skips both. Since this content ends up in `dangerouslySetInnerHTML` in the reader view, any malicious HTML in the Reddit response gets executed in the user's browser. Version 0.31.0 contains a patch for this issue.
Deeper analysisAI
CVE-2026-27627 is a cross-site scripting vulnerability (CWE-79) in Karakeep, a self-hostable bookmark-everything app, specifically affecting version 0.30.0. The flaw occurs in the Reddit metascraper plugin, where the `readableContentHtml` response is passed directly to the HTML parsing subprocess without sanitization through DOMPurify. Unlike content from other sources, which undergoes Readability and DOMPurify processing, Reddit content bypasses these steps and is inserted via `dangerouslySetInnerHTML` in the reader view, enabling execution of malicious HTML provided in the Reddit response.
Attackers can exploit this vulnerability remotely (AV:N) with low complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), achieving a scope change (S:C) for high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N), resulting in a CVSS v3.1 base score of 8.2. Exploitation requires tricking a user into viewing a bookmark of a Reddit page controlled by the attacker, where malicious HTML in the response executes in the victim's browser, potentially exfiltrating sensitive data like cookies or session tokens.
Mitigation is addressed in Karakeep version 0.31.0, which patches the issue as detailed in the GitHub security advisory (GHSA-mg93-f9mw-wpgj), release notes for v0.31.0, and the fixing commit (ba3db953c0d8675e2e3ecc29113a332b570b2cb9). Security practitioners should advise users to upgrade to v0.31.0 or later.
Details
- CWE(s)