Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
repostat: Malicious Code Can Be Injected Via Repository Name
CVE-2026-27612
GHSA-fm8c-6m29-rp6j
Summary
A security flaw in the repostat package allows an attacker to inject malicious code in a user's browser by passing unvalidated user input directly into the repository name. This can happen if a developer using this package reads user input from a URL query parameter without checking its safety first. To protect against this, update to repostat version 1.0.1, which fixes this issue.
What to do
- Update denpiligrim repostat to version 1.0.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| denpiligrim | repostat | <= 1.0.1 | 1.0.1 |
| denpiligrim | repostat | <= 1.0.1 | – |
Original title
repostat: Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard
Original description
### Impact
The `RepoCard` component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occurs because the component uses React's `dangerouslySetInnerHTML` to render the repository name (`repo` prop) during the loading state without any sanitization.
If a developer using this package passes unvalidated user input directly into the `repo` prop (for example, reading it from a URL query parameter), an attacker can execute arbitrary JavaScript in the context of the user's browser.
### Proof of Concept
```jsx
import { RepoCard } from 'repostat';
function App() {
const params = new URLSearchParams(window.location.search);
const maliciousRepo = params.get('repo') || 'facebook/react';
return <RepoCard repo={maliciousRepo} token="YOUR_TOKEN" />;
}
```
### Remediation
Update to version 1.0.1. The use of dangerouslySetInnerHTML has been removed, and the repo prop is now safely rendered using standard React JSX data binding, which automatically escapes HTML entities.
The `RepoCard` component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occurs because the component uses React's `dangerouslySetInnerHTML` to render the repository name (`repo` prop) during the loading state without any sanitization.
If a developer using this package passes unvalidated user input directly into the `repo` prop (for example, reading it from a URL query parameter), an attacker can execute arbitrary JavaScript in the context of the user's browser.
### Proof of Concept
```jsx
import { RepoCard } from 'repostat';
function App() {
const params = new URLSearchParams(window.location.search);
const maliciousRepo = params.get('repo') || 'facebook/react';
return <RepoCard repo={maliciousRepo} token="YOUR_TOKEN" />;
}
```
### Remediation
Update to version 1.0.1. The use of dangerouslySetInnerHTML has been removed, and the repo prop is now safely rendered using standard React JSX data binding, which automatically escapes HTML entities.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026