CVE-2026-27612

Description

### Impact The `RepoCard` component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occurs because the component uses React's `dangerouslySetInnerHTML` to render the repository name (`repo` prop) during the loading state without any sanitization. If a developer using this package passes unvalidated user input directly into the `repo` prop (for example, reading it from a URL query parameter), an attacker can execute arbitrary JavaScript in the context of the user's browser. ### Proof of Concept ```jsx import { RepoCard } from 'repostat'; function App() { const params = new URLSearchParams(window.location.search); const maliciousRepo = params.get('repo') || 'facebook/react'; return <RepoCard repo={maliciousRepo} token="YOUR_TOKEN" />; } ``` ### Remediation Update to version 1.0.1. The use of dangerouslySetInnerHTML has been removed, and the repo prop is now safely rendered using standard React JSX data binding, which automatically escapes HTML entities.

How to fix CVE-2026-27612

To remediate CVE-2026-27612, upgrade the affected package to a fixed version below.

• —upgrade to 1.0.1 or later

Is CVE-2026-27612 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.0.1

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-27612
• PATCHgithub.com/denpiligrim/repostat
• WEBgithub.com/denpiligrim/repostat/commit/715df5f73359d222fd7876e948d14290180e3c88
• WEBgithub.com/denpiligrim/repostat/security/advisories/GHSA-fm8c-6m29-rp6j