Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
Isso allows hackers to inject malicious code via website field
CVE-2026-27469
GHSA-9fww-8cpr-q66r
Summary
A hacker can inject malicious code into Isso's website field, potentially allowing them to take control of your website. This can happen when a user posts a comment with a specially crafted website URL. To fix the issue, upgrade to a version that includes a recent patch that properly escapes and validates user input.
What to do
- Update isso to version 0.13.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | isso | <= 0.13.2 | 0.13.2 |
Original title
Isso affected by Stored XSS via comment website field
Original description
## Impact
This is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick).
The same escaping was missing entirely from the user-facing comment edit endpoint (PUT /id/<id>) and the moderation edit endpoint (POST /id/<id>/edit/<key>).
Any visitor to a page embedding isso comments is impacted. No authentication or interaction beyond mouse movement is required to trigger a payload — an attacker can post a comment anonymously (moderation is off by default) with a crafted website URL, and the payload persists in the database and fires on every page load. With the full-page invisible overlay technique described in the report, the victim only needs to move their mouse.
## Patches
The issue is fixed in commit 3cf27c2. Users should upgrade to a version containing that commit once released. The fix applies html.escape(..., quote=True) to the website field across all three write paths (POST /new, PUT /id/<id>, POST /id/<id>/edit/<key>), and adds input validation and escaping to the moderation edit endpoint which previously had neither.
## Workarounds
Enabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, raising the bar for exploitation. However, it
does not fully mitigate the issue since a moderator activating a malicious comment would still expose visitors. There is no configuration-only workaround that fully prevents
the vulnerability.
## Resources
- https://docs.python.org/3/library/html.html#html.escape — note the quote parameter
This is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick).
The same escaping was missing entirely from the user-facing comment edit endpoint (PUT /id/<id>) and the moderation edit endpoint (POST /id/<id>/edit/<key>).
Any visitor to a page embedding isso comments is impacted. No authentication or interaction beyond mouse movement is required to trigger a payload — an attacker can post a comment anonymously (moderation is off by default) with a crafted website URL, and the payload persists in the database and fires on every page load. With the full-page invisible overlay technique described in the report, the victim only needs to move their mouse.
## Patches
The issue is fixed in commit 3cf27c2. Users should upgrade to a version containing that commit once released. The fix applies html.escape(..., quote=True) to the website field across all three write paths (POST /new, PUT /id/<id>, POST /id/<id>/edit/<key>), and adds input validation and escaping to the moderation edit endpoint which previously had neither.
## Workarounds
Enabling comment moderation (moderation = enabled = true in isso.cfg) prevents unauthenticated users from publishing comments, raising the bar for exploitation. However, it
does not fully mitigate the issue since a moderator activating a malicious comment would still expose visitors. There is no configuration-only workaround that fully prevents
the vulnerability.
## Resources
- https://docs.python.org/3/library/html.html#html.escape — note the quote parameter
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
CWE-116
- https://nvd.nist.gov/vuln/detail/CVE-2026-27469
- https://github.com/advisories/GHSA-9fww-8cpr-q66r
- https://docs.python.org/3/library/html.html#html.escape
- https://github.com/isso-comments/isso/commit/0afbfe0691ee237963e8fb0b2ee01c9e55c...
- https://github.com/isso-comments/isso/security/advisories/GHSA-9fww-8cpr-q66r
Published: 24 Feb 2026 · Updated: 14 Mar 2026 · First seen: 6 Mar 2026