CVE-2026-35208 Overview
CVE-2026-35208 is a server-side HTML injection vulnerability affecting lichess.org, the popular open-source chess server. The vulnerability allows any approved streamer to inject arbitrary HTML into the /streamer page and the homepage "Live streams" widget by placing malicious markup in their Twitch or YouTube stream title. While Content Security Policy (CSP) is present and blocks inline script execution, the underlying HTML injection sink remains exploitable on the server side.
Critical Impact
Approved streamers can inject arbitrary HTML content into Lichess pages affecting all site visitors viewing the streamer widget or streamer pages.
Affected Products
- lichess.org (lila repository) - versions prior to commit 0d5002696ae705e1888bf77de107c73de57bb1b3
- Lichess streamer module
- Lichess homepage "Live streams" widget
Discovery Timeline
- 2026-04-06 - CVE-2026-35208 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35208
Vulnerability Analysis
This vulnerability represents a Cross-Site Scripting (XSS) weakness classified under CWE-79. The root cause lies in improper input validation when handling external stream titles from third-party platforms like Twitch and YouTube. When an approved streamer goes live, Lichess pulls the platform stream title and renders it directly into the UI without proper sanitization. The flaw allows attackers to leverage HTML injection capabilities, potentially defacing pages, creating phishing elements, or exploiting other browser-based attacks despite CSP mitigations blocking inline scripts.
To exploit this vulnerability, an attacker needs to satisfy the normal Lichess streamer requirements: an account older than 2 days with at least 15 games played, or a verified/titled account. After receiving moderator approval, the attacker can set their Twitch or YouTube stream title containing malicious HTML markup. Once the streamer goes live, the malicious content is pulled by Lichess and rendered directly into the streamer widget and homepage.
Root Cause
The vulnerability stems from the Lichess application treating external stream titles as trusted HTML content. The Publisher.scala and TwitchApi.scala modules in the streamer component directly embedded stream status values containing the raw title text without proper HTML encoding or sanitization. The application imported and used lila.core.data.Html to handle these values, inadvertently treating user-controlled external content as safe markup.
Attack Vector
The attack vector is network-based and requires low privileges (an approved streamer account). An attacker can inject arbitrary HTML by:
- Creating or using an existing Lichess account that meets streamer requirements (2+ days old with 15+ games, or verified/titled)
- Applying for and receiving streamer approval from Lichess moderators
- Setting up a Twitch or YouTube stream with a malicious HTML payload in the title
- Going live, triggering Lichess to pull and render the malicious title
The security patch modifies how stream status values are handled:
.liveMatching(
streamers,
s =>
- s.status.value.toLowerCase.contains(keyword.toLowerCase) ||
+ s.status.toLowerCase.contains(keyword.toLowerCase) ||
alwaysFeatured().value.contains(s.streamer.id)
)
.zip(ytApi.liveMatching(streamers))
Source: GitHub Commit
The patch also removes the Html type import from TwitchApi.scala, ensuring stream titles are no longer treated as HTML:
import lila.common.Json.given
import lila.core.config.Secret
import lila.core.config.NetConfig
-import lila.core.data.Html
private object Twitch:
Source: GitHub Commit
Detection Methods for CVE-2026-35208
Indicators of Compromise
- Unusual HTML tags appearing in streamer widget content or /streamer pages
- Stream titles containing HTML elements such as <div>, <img>, <iframe>, or <form> tags
- User reports of visual anomalies or phishing elements in the streamer section
- Web application firewall (WAF) logs showing HTML injection attempts in stream title fields
Detection Strategies
- Implement content integrity monitoring on streamer widget HTML output
- Deploy WAF rules to detect and alert on HTML tag patterns in stream title API responses
- Monitor for changes in streamer page DOM structure that indicate injected content
- Review application logs for unusual patterns in external API data processing
Monitoring Recommendations
- Enable logging for all external API calls to Twitch and YouTube that fetch stream metadata
- Implement real-time alerting for HTML tags detected in stream title content
- Conduct periodic security audits of user-generated content rendering paths
- Monitor CSP violation reports for blocked inline script execution attempts
How to Mitigate CVE-2026-35208
Immediate Actions Required
- Update the Lichess lila application to include commit 0d5002696ae705e1888bf77de107c73de57bb1b3 or later
- Review streamer approval processes and temporarily suspend streaming features if immediate patching is not possible
- Audit existing streamer content for signs of HTML injection
- Implement additional input validation on external stream title data
Patch Information
The vulnerability is fixed in commit 0d5002696ae705e1888bf77de107c73de57bb1b3. Organizations running self-hosted Lichess instances should pull the latest changes from the lila repository and redeploy. For detailed information about the security fix, consult the GitHub Security Advisory.
Workarounds
- Temporarily disable the streamer widget on the homepage until the patch is applied
- Implement server-side HTML entity encoding for all external stream title content
- Add manual review of stream titles before rendering on the platform
- Deploy additional CSP directives to further restrict potential exploitation
# Example: Pull latest lila repository with security fix
git fetch origin
git checkout 0d5002696ae705e1888bf77de107c73de57bb1b3
sbt stage
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
