Description

Repostat is a React component to fetch and display GitHub repository info. Prior to version 1.0.1, the `RepoCard` component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occurs because the component uses React's `dangerouslySetInnerHTML` to render the repository name (`repo` prop) during the loading state without any sanitization. If a developer using this package passes unvalidated user input directly into the `repo` prop (for example, reading it from a URL query parameter), an attacker can execute arbitrary JavaScript in the context of the user's browser. In version 1.0.1, the use of dangerouslySetInnerHTML has been removed, and the repo prop is now safely rendered using standard React JSX data binding, which automatically escapes HTML entities.

INFO

Published Date :

2026-02-25T02:38:05.548Z

Last Modified :

2026-02-26T21:33:40.838Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27612 vulnerability.

Vendors Products
Denpiligrim
  • Repostat
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27612.

URL Resource
https://github.com/denpiligrim/repostat/commit/715df5f73359d222fd7876e948d14290180e3c88 cve-icon cve-icon
https://github.com/denpiligrim/repostat/security/advisories/GHSA-fm8c-6m29-rp6j cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact