CVE-2026-27469

Name of the Vulnerable Software and Affected Versions Isso versions prior to 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144

Description Isso, a lightweight commenting server written in Python and JavaScript, contains a stored Cross-Site Scripting (XSS) issue. The website and author comment fields are susceptible due to insufficient HTML escaping. Specifically, the website field was not properly HTML-escaped, leaving single and double quotes unescaped. This allows for injection of arbitrary event handlers, such as onmouseover or onclick, when the website value is inserted into a single-quoted href attribute via string concatenation. The comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id//edit/) also lack proper escaping. Enabling comment moderation can raise the bar for exploitation, but does not fully mitigate the issue as a moderator activating a malicious comment would still expose visitors.

Recommendations Update Isso to version 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144 or later.