CVE-2026-35208

Name of the Vulnerable Software and Affected Versions lichess.org (affected versions not specified)

Description lichess.org, a free and open-source chess server, had a server-side HTML injection sink in the /streamer endpoint and the homepage “Live streams” widget. Approved streamers could inject arbitrary HTML by including markup in their Twitch or YouTube stream title. While a Content Security Policy (CSP) was in place to block inline script execution, the issue remained exploitable. To trigger this, a Lichess account needed to meet streamer requirements: being older than 2 days with at least 15 games played, or being a verified/titled account, and receiving moderator approval. Once live, Lichess would render the platform title directly into the user interface.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.