CVE-2026-27701

Name of the Vulnerable Software and Affected Versions LiveCode versions prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11

Description LiveCode is an open-source, client-side code playground. The i18n-update-pull GitHub Actions workflow is susceptible to JavaScript injection prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11. The title of a Pull Request is directly interpolated into a JavaScript block within the actions/github-script action using a GitHub Actions template expression. An attacker can inject arbitrary JavaScript by creating a Pull Request with a specially crafted title. This injected JavaScript executes with the permissions of the CI bot token (CI APP ID / CI APP PRIVATE KEY), potentially allowing for the exfiltration of repository secrets and unauthorized operations via the GitHub API.

Recommendations Update LiveCode to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 or later.