Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
Karakeep app allows malicious HTML to execute in browser
CVE-2026-27627
Summary
A security issue in Karakeep version 0.30.0 allows malicious HTML code from Reddit bookmarks to run in users' browsers. This could lead to unauthorized actions, such as stealing user data or displaying unwanted content. Update to version 0.31.0 to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| localhostlabs | karakeep | 0.30.0 | – |
Original title
Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running...
Original description
Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify, but the Reddit path skips both. Since this content ends up in `dangerouslySetInnerHTML` in the reader view, any malicious HTML in the Reddit response gets executed in the user's browser. Version 0.31.0 contains a patch for this issue.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026