CVE-2026-27612

Name of the Vulnerable Software and Affected Versions Repostat versions prior to 1.0.1

Description Repostat, a React component used to display GitHub repository information, contains a Reflected Cross-Site Scripting (XSS) issue. The RepoCard component previously used dangerouslySetInnerHTML to render the repository name (repo prop) during the loading state without proper sanitization. This allowed for the execution of arbitrary JavaScript in a user's browser if an attacker could control the input passed into the repo prop. The issue was addressed in version 1.0.1 by removing the use of dangerouslySetInnerHTML and utilizing standard React JSX data binding for safe rendering.

Recommendations Update Repostat to version 1.0.1 or later.