Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
OpenSift: Untrusted Content Executes in Browser on Earlier Versions
CVE-2026-27169
Summary
OpenSift versions 1.1.2-alpha and below allow attackers to inject malicious code into the chat tool, which can execute in a user's browser when they view a compromised study or quiz. This could lead to unauthorized actions in the app. Update to version 1.1.3-alpha to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| opensift | opensift | <= 1.1.3 | – |
Original title
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below render untrusted user/model content in chat tool UI surfaces u...
Original description
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below render untrusted user/model content in chat tool UI surfaces using unsafe HTML interpolation patterns, leading to XSS. Stored content can execute JavaScript when later viewed in authenticated sessions. An attacker who can influence stored study/quiz/flashcard content could trigger script execution in a victim’s browser, potentially performing actions as that user in the local app session. This issue has been fixed in version 1.1.3-alpha.
nvd CVSS3.1
8.9
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
CWE-116
- https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha Product Release Notes
- https://github.com/OpenSift/OpenSift/security/advisories/GHSA-qrpx-7cmv-5gv5 Vendor Advisory
Published: 21 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026