The vulnerability CVE-2026-27612 affects the denpiligrim repostat React component, specifically versions before 1.0.1. The component's RepoCard uses React's dangerouslySetInnerHTML to render the repository name (repo prop) during the loading state without sanitizing input. This improper neutralization of input (CWE-79) allows an attacker to inject malicious JavaScript if untrusted input is passed directly to the repo prop, for example, from URL query parameters. Because React's dangerouslySetInnerHTML bypasses React's built-in escaping mechanisms, any HTML or script code in the repo prop is executed in the victim's browser context, enabling reflected XSS attacks. Such attacks can lead to session hijacking, credential theft, or other malicious actions within the user's browser session. The vulnerability requires no authentication but does require user interaction (e.g., clicking a crafted link). The issue was resolved in version 1.0.1 by removing dangerouslySetInnerHTML and switching to standard JSX data binding, which automatically escapes HTML entities and prevents script execution. No known exploits are currently reported in the wild. The CVSS v3.1 score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impact on confidentiality and integrity but not availability.

Organizations using the denpiligrim repostat component versions prior to 1.0.1 in their web applications are at risk of reflected XSS attacks if they pass untrusted user input into the repo prop without sanitization. This can lead to unauthorized script execution in users' browsers, potentially resulting in session hijacking, theft of sensitive information, or manipulation of the web application's behavior. The impact is particularly significant for applications that display GitHub repository information dynamically based on user input, such as dashboards or developer tools. While the vulnerability does not affect system availability, the compromise of user credentials or session tokens can lead to broader security breaches. Since exploitation requires user interaction, phishing or social engineering could be used to lure victims. The vulnerability affects the confidentiality and integrity of user data and application state. Organizations with public-facing web applications embedding repostat are most at risk, especially if they do not validate or sanitize inputs passed to the component.

To mitigate this vulnerability, organizations should upgrade to denpiligrim repostat version 1.0.1 or later, where the unsafe use of dangerouslySetInnerHTML has been removed. Developers should avoid passing untrusted or unsanitized user input directly into the repo prop or any other props that are rendered as HTML. Input validation and sanitization should be enforced on all user-supplied data before rendering. If upgrading is not immediately possible, developers should patch the component to remove dangerouslySetInnerHTML usage and replace it with safe JSX rendering that escapes HTML entities. Additionally, implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution. Web application firewalls (WAFs) can also be configured to detect and block reflected XSS attack patterns. Regular security code reviews and dependency audits should be conducted to identify and remediate similar issues proactively.