Description

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is still a server-side HTML injection sink. To trigger this, a Lichess account only needs to satisfy the normal streamer requirements and get approved. Per Streamer.canApply, that means an account older than 2 days with at least 15 games, or a verified/titled account. After moderator approval, once the streamer goes live, Lichess pulls the platform title and renders it into the UI as-is. No extra privileges are needed beyond a normal approved streamer profile. This vulnerability is fixed with commit 0d5002696ae705e1888bf77de107c73de57bb1b3.

INFO

Published Date :

2026-04-06T20:06:25.821Z

Last Modified :

2026-04-06T20:06:25.821Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35208 vulnerability.

Vendors Products
Lichess
  • Lila
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35208.

URL Resource
https://github.com/lichess-org/lila/commit/0d5002696ae705e1888bf77de107c73de57bb1b3 cve-icon cve-icon
https://github.com/lichess-org/lila/security/advisories/GHSA-v7gh-939r-pfjq cve-icon cve-icon
https://vimeo.com/1175908262 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability