CVE-2026-27627 is a cross-site scripting vulnerability classified under CWE-79 affecting karakeep, a self-hostable bookmark management application, specifically version 0.30.0. The vulnerability stems from improper neutralization of input during web page generation. Karakeep uses a Reddit metascraper plugin to fetch content, which returns HTML in the field `readableContentHtml`. Unlike other content sources that undergo sanitization via Readability and DOMPurify to remove malicious scripts, the Reddit path bypasses these sanitization steps. Consequently, the HTML content is directly injected into the React component using `dangerouslySetInnerHTML` in the reader view. This direct injection allows any malicious HTML or JavaScript embedded in the Reddit response to execute in the context of the user's browser session. The vulnerability has a CVSS 3.1 base score of 8.2, indicating high severity, with an attack vector of network (remote), low attack complexity, no privileges required, but requiring user interaction (viewing the malicious content). The scope is changed, affecting confidentiality (high impact), integrity (low impact), but not availability. The flaw could lead to theft of sensitive information such as cookies, session tokens, or other browser-stored data, and potentially enable further attacks like session hijacking or phishing. The issue was addressed in karakeep version 0.31.0 by ensuring that the Reddit metascraper plugin's HTML output is properly sanitized through DOMPurify before rendering. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risks of inconsistent input sanitization in web applications, especially when integrating third-party content sources.

The primary impact of this vulnerability is the potential compromise of user confidentiality and partial integrity through cross-site scripting attacks. Attackers can inject malicious scripts that execute in the context of the victim's browser, potentially stealing authentication tokens, cookies, or other sensitive data. This can lead to unauthorized access to user accounts or data leakage. The integrity of displayed content may be altered, misleading users or enabling phishing attacks. Although availability is not directly affected, successful exploitation could facilitate further attacks that degrade service or user trust. Organizations using karakeep 0.30.0, especially those self-hosting the application for internal or external users, face risks of targeted attacks if adversaries craft malicious Reddit content or manipulate the metascraper responses. The requirement for user interaction (viewing the malicious content) somewhat limits automated exploitation but does not eliminate risk, especially in environments where users frequently consume Reddit content via karakeep. The vulnerability could be leveraged in spear-phishing campaigns or supply chain attacks targeting organizations relying on karakeep for bookmark management. Given the high CVSS score and the widespread use of web applications integrating third-party content, the potential impact is significant for confidentiality and user trust.

To mitigate this vulnerability, organizations should immediately upgrade karakeep to version 0.31.0 or later, where the Reddit metascraper plugin's output is properly sanitized using DOMPurify. If upgrading is not immediately feasible, administrators should consider disabling the Reddit metascraper plugin to prevent untrusted HTML content from being rendered. Implement additional input validation and sanitization layers on all third-party content sources before rendering. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Educate users about the risks of interacting with untrusted content and encourage cautious behavior when viewing dynamically generated content. Regularly audit and monitor logs for unusual activity that may indicate exploitation attempts. For developers, avoid using `dangerouslySetInnerHTML` without thorough sanitization and prefer safer rendering methods. Incorporate automated security testing and code reviews focusing on input handling and sanitization consistency across all content sources.