CVE-2026-27627: Karakeep Bookmark App XSS Vulnerability

CVE-2026-27627 Overview

CVE-2026-27627 is a Cross-Site Scripting (XSS) vulnerability in Karakeep, a self-hostable bookmark-everything application. The vulnerability exists in version 0.30.0 where the Reddit metascraper plugin fails to sanitize HTML content before rendering it in the user's browser. When the Reddit metascraper returns readableContentHtml, the HTML parsing subprocess uses it directly without running it through DOMPurify, allowing malicious HTML to execute in the context of the user's session.

Critical Impact

Attackers can inject and execute arbitrary JavaScript in users' browsers through malicious Reddit content, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of authenticated users.

Affected Products

• Karakeep version 0.30.0

Discovery Timeline

• 2026-02-25 - CVE CVE-2026-27627 published to NVD
• 2026-02-25 - Last updated in NVD database

Technical Details for CVE-2026-27627

Vulnerability Analysis

This vulnerability stems from inconsistent input sanitization in Karakeep's content crawling pipeline. While most content sources in the crawler are properly sanitized through Readability and DOMPurify before being rendered, the Reddit metascraper path bypasses both of these critical security layers. The unsanitized HTML content is then passed directly to React's dangerouslySetInnerHTML property in the reader view component, which renders raw HTML without any escaping or sanitization.

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a category of Cross-Site Scripting vulnerabilities. This type of flaw allows attackers to inject client-side scripts that execute in the context of other users' browser sessions.

Root Cause

The root cause is a missing sanitization step in the Reddit content processing path. While other content sources go through a standard pipeline that includes Readability parsing and DOMPurify sanitization, the Reddit metascraper plugin returns readableContentHtml that is used directly by the rendering component. This architectural inconsistency means that any malicious HTML embedded in Reddit content—whether from a compromised Reddit post or a malicious API response—will be executed when the bookmark is viewed.

Attack Vector

The attack leverages the network-based delivery of malicious content through the Reddit metascraper functionality. An attacker could craft or manipulate Reddit content containing malicious JavaScript payloads. When a Karakeep user bookmarks this content, the unsanitized HTML is stored and later executed in the user's browser when viewing the bookmark in the reader view.

The vulnerability requires user interaction (bookmarking malicious Reddit content and viewing it), but no authentication is required from the attacker's perspective. The impact is significant as the malicious script executes with the same privileges as the authenticated user, potentially enabling:

• Session token theft via document.cookie access
• Keylogging and credential harvesting
• Unauthorized actions performed on behalf of the user
• Phishing attacks through DOM manipulation
• Exfiltration of sensitive bookmark data

Detection Methods for CVE-2026-27627

Indicators of Compromise

• Unexpected JavaScript execution when viewing Reddit-sourced bookmarks
• Unusual network requests originating from the Karakeep reader view to external domains
• Modified or injected DOM elements in bookmark content that were not part of the original Reddit post
• Browser console errors or warnings related to XSS-related content security policy violations

Detection Strategies

• Implement Content Security Policy (CSP) headers to detect and block inline script execution
• Monitor browser developer tools for unexpected script injection in the reader view component
• Review stored bookmark content for suspicious HTML tags such as <script>, <iframe>, or event handlers like onerror, onload
• Audit application logs for unusual Reddit metascraper activity or malformed responses

Monitoring Recommendations

• Enable CSP reporting to capture attempted XSS attacks in production environments
• Monitor for anomalous outbound network connections from user browser sessions
• Implement client-side integrity monitoring for the reader view component
• Set up alerts for unusual patterns in bookmarked Reddit content

How to Mitigate CVE-2026-27627

Immediate Actions Required

• Upgrade Karakeep to version 0.31.0 or later immediately
• Review existing bookmarks from Reddit sources for potentially malicious content
• Clear browser cache and storage for Karakeep instances running vulnerable versions
• Advise users to log out and re-authenticate after applying the patch to invalidate potentially compromised sessions

Patch Information

The vulnerability has been patched in Karakeep version 0.31.0. The fix ensures that all content sources, including the Reddit metascraper, go through proper sanitization via DOMPurify before being rendered in the reader view. Users should upgrade immediately by pulling the latest release.

For technical details on the patch implementation, refer to the GitHub commit ba3db953c0d8675e2e3ecc29113a332b570b2cb9. The official release notes are available at GitHub Release v0.31.0, and the security advisory can be found at GHSA-mg93-f9mw-wpgj.

Workarounds

• Disable or avoid using the Reddit bookmark functionality until the patch is applied
• Implement a reverse proxy or web application firewall (WAF) rule to strip potentially malicious HTML from Reddit-sourced content
• Deploy Content Security Policy headers with strict script-src directives to prevent inline script execution
• Temporarily disable the reader view feature and use external links only for Reddit bookmarks

# Example CSP header configuration for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; object-src 'none';" always;