The vulnerability CVE-2026-27612 affects the denpiligrim repostat React component, specifically versions before 1.0.1. The component's RepoCard uses React's dangerouslySetInnerHTML to render the repository name (repo prop) during the loading state. This method bypasses React's default HTML escaping, allowing raw HTML or script injection if the input is not sanitized. If a developer passes untrusted user input directly to the repo prop—such as from a URL query parameter—an attacker can craft malicious input that executes arbitrary JavaScript in the victim's browser context. This reflected XSS can lead to session hijacking, credential theft, or other malicious actions within the user's session. The vulnerability does not require authentication but does require user interaction (e.g., clicking a crafted link). The fix in version 1.0.1 replaces dangerouslySetInnerHTML with standard JSX data binding, which automatically escapes HTML entities, mitigating the risk. The CVSS 3.1 score of 6.1 reflects a network attack vector with low complexity, no privileges required, user interaction needed, and partial impact on confidentiality and integrity but no impact on availability. No known exploits have been reported in the wild, but the vulnerability poses a moderate risk to applications using affected versions of repostat that incorporate untrusted input into the repo prop.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript in the context of users' browsers when interacting with applications using vulnerable versions of repostat. This can lead to theft of sensitive information such as authentication tokens, cookies, or personal data, enabling session hijacking or impersonation. It can also facilitate further attacks like redirecting users to malicious sites or performing unauthorized actions on behalf of the user. Since repostat is a React component designed to display GitHub repository information, applications integrating it may expose their users to these risks if they do not sanitize inputs passed to the repo prop. The vulnerability affects confidentiality and integrity but does not impact system availability. Organizations relying on repostat in web applications, especially those that incorporate user input into the repo prop without validation, face moderate risk of client-side compromise. The risk is heightened in environments where users have elevated privileges or access sensitive data through the affected application.

To mitigate this vulnerability, organizations should immediately upgrade to repostat version 1.0.1 or later, where the use of dangerouslySetInnerHTML has been removed and safe JSX data binding is used. Developers must ensure that any input passed to the repo prop is strictly validated and sanitized, especially if it originates from user-controlled sources such as URL parameters or form inputs. Avoid passing raw user input directly to the repo prop. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Conduct thorough code reviews and security testing focusing on input handling in components that render HTML content. Additionally, educate developers on the risks of using dangerouslySetInnerHTML and promote safe React coding practices. Monitoring web application logs for suspicious activity and anomalous input patterns can help detect exploitation attempts. Finally, inform users to avoid clicking suspicious links that may exploit this vulnerability until patches are applied.