Publish GHSA-9fww-8cpr-q66r

advisory-database[bot] · advisory-database[bot] · commit f08494037751 · 2026-02-24T16:04:23.000Z
diff --git a/advisories/github-reviewed/2026/02/GHSA-9fww-8cpr-q66r/GHSA-9fww-8cpr-q66r.json b/advisories/github-reviewed/2026/02/GHSA-9fww-8cpr-q66r/GHSA-9fww-8cpr-q66r.json
@@ -0,0 +1,70 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9fww-8cpr-q66r",
+  "modified": "2026-02-24T16:03:04Z",
+  "published": "2026-02-24T16:03:04Z",
+  "aliases": [
+    "CVE-2026-27469"
+  ],
+  "summary": "Isso affected by Stored XSS via comment website field",
+  "details": "## Impact\n\nThis is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick).\n\nThe same escaping was missing entirely from the user-facing comment edit endpoint (PUT /id/<id>) and the moderation edit endpoint (POST /id/<id>/edit/<key>).\n\nAny visitor to a page embedding isso comments is impacted. No authentication or interaction beyond mouse movement is required to trigger a payload — an attacker can post a comment anonymously (moderation is off by default) with a crafted website URL, and the payload persists in the database and fires on every page load. With the full-page invisible overlay technique described in the report, the victim only needs to move their mouse.\n\n## Patches\n\nThe issue is fixed in commit 3cf27c2. Users should upgrade to a version containing that commit once released. The fix applies html.escape(..., quote=True) to the website field across all three write paths (POST /new, PUT /id/<id>, POST /id/<id>/edit/<key>), and adds input validation and escaping to the moderation edit endpoint which previously had neither.\n\n## Workarounds\n\n  Enabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, raising the bar for exploitation. However, it\n  does not fully mitigate the issue since a moderator activating a malicious comment would still expose visitors. There is no configuration-only workaround that fully prevents\n   the vulnerability.\n\n## Resources\n\n  - https://docs.python.org/3/library/html.html#html.escape — note the quote parameter",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "isso"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.13.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/isso-comments/isso/security/advisories/GHSA-9fww-8cpr-q66r"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27469"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/isso-comments/isso/commit/0afbfe0691ee237963e8fb0b2ee01c9e55ca2144"
+    },
+    {
+      "type": "WEB",
+      "url": "https://docs.python.org/3/library/html.html#html.escape"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/isso-comments/isso"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-116",
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-24T16:03:04Z",
+    "nvd_published_at": "2026-02-21T08:16:11Z"
+  }
+}
