CVE-2026-27627 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting karakeep, a self-hostable bookmark management application. In version 0.30.0, the Reddit metascraper plugin returns HTML content labeled as `readableContentHtml`. This content is parsed and directly injected into the React component's reader view using dangerouslySetInnerHTML without passing through DOMPurify or Readability sanitization processes. Other content sources in the crawler pipeline are sanitized properly, but the Reddit path skips these steps, creating an injection vector. An attacker who can influence the Reddit content returned by the metascraper can embed malicious HTML or JavaScript, which executes in the context of the user's browser when viewing the reader. This can lead to theft of sensitive information such as cookies, session tokens, or other data accessible in the browser context, compromising confidentiality. The vulnerability does not require authentication but does require the user to interact with the malicious content. The scope is limited to users running version 0.30.0 of karakeep. The issue was addressed in version 0.31.0 by ensuring all content sources, including Reddit, are sanitized with DOMPurify before rendering. No known exploits are currently reported in the wild.

The primary impact of this vulnerability is on confidentiality, as malicious scripts can steal sensitive user data such as authentication tokens, personal information, or other browser-stored secrets. Integrity impact is low since the vulnerability does not allow direct modification of backend data but could enable phishing or social engineering attacks by injecting misleading content. Availability is not affected. Because the vulnerability is exploitable remotely without authentication and only requires user interaction (viewing the malicious content), the attack surface is broad among users of the vulnerable version. Organizations using karakeep for managing bookmarks or aggregating web content risk data leakage and session hijacking. This could lead to unauthorized access to internal resources if session tokens are compromised. The vulnerability undermines user trust and could facilitate further attacks such as lateral movement or persistent browser-based exploits. Although no active exploits are known, the high CVSS score (8.2) reflects the ease of exploitation and significant confidentiality impact.

The most effective mitigation is to upgrade karakeep to version 0.31.0 or later, where the Reddit metascraper content is properly sanitized with DOMPurify. Until upgrade is possible, organizations should consider disabling the Reddit metascraper plugin to eliminate the attack vector. Implement Content Security Policy (CSP) headers that restrict script execution and mitigate the impact of injected scripts. Educate users about the risks of interacting with untrusted content within the app. Monitor network traffic and application logs for unusual activity related to Reddit content fetching. For self-hosted deployments, review and harden the sanitization pipeline to ensure all external content is sanitized consistently. Conduct regular security audits of third-party plugins and dependencies. Employ browser security features such as SameSite cookies and HTTPOnly flags to reduce token theft risk. Finally, maintain an incident response plan to quickly address any exploitation attempts.