Isso-comments is a lightweight commenting server implemented in Python and JavaScript. Prior to commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, it contained a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-27469) due to improper neutralization of input during web page generation. Specifically, the website field was HTML-escaped with quote=False, leaving single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, an attacker can inject a single quote to break out of the attribute context and insert arbitrary event handlers such as onmouseover or onclick. Additionally, the comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id//edit/) lacked any escaping, further increasing the attack surface. This vulnerability allows an attacker to store malicious scripts that execute in the browsers of users viewing the affected comments, potentially leading to session hijacking, credential theft, or unauthorized actions. Although enabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, it does not fully mitigate the risk because a moderator could activate a malicious comment. The vulnerability has been patched in the referenced commit, and no known exploits are currently reported in the wild. The CVSS 3.1 base score is 6.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and partial impact on confidentiality and integrity with no impact on availability.

The vulnerability enables attackers to inject and store malicious JavaScript code within comment fields, which executes in the browsers of users who view these comments. This can lead to theft of sensitive information such as cookies, session tokens, or credentials, enabling account takeover or unauthorized actions on behalf of users. It can also facilitate phishing, defacement, or redirection to malicious sites. Since the attack requires only user interaction (clicking or hovering) and no authentication, it poses a significant risk to any website using vulnerable versions of isso-comments. Organizations relying on isso for user-generated content risk reputational damage, data breaches, and loss of user trust. The partial mitigation by comment moderation reduces but does not eliminate risk, especially if moderators inadvertently approve malicious comments. The scope includes all websites using affected versions of isso-comments, which may be small but can include privacy-focused or lightweight web platforms.

1. Immediately upgrade isso-comments to the patched version at or after commit 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144 to ensure proper escaping and elimination of the XSS vulnerability. 2. If immediate patching is not possible, enable comment moderation (moderation = enabled = true in isso.cfg) to prevent unauthenticated users from posting comments directly, raising the exploitation bar. 3. Review and tighten moderation workflows to ensure that moderators carefully vet comments before approval, minimizing the risk of activating malicious content. 4. Implement Content Security Policy (CSP) headers on affected websites to restrict execution of inline scripts and reduce the impact of potential XSS payloads. 5. Sanitize and validate all user inputs on both server and client sides, especially for fields rendered into HTML attributes. 6. Educate moderators and administrators about the risks of XSS and the importance of cautious comment approval. 7. Monitor logs and user reports for suspicious comment activity or unexpected script execution. 8. Consider additional security controls such as HTTPOnly and Secure flags on cookies to limit session hijacking impact.