Description
Repostat is a React component to fetch and display GitHub repository info. Prior to version 1.0.1, the `RepoCard` component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occurs because the component uses React's `dangerouslySetInnerHTML` to render the repository name (`repo` prop) during the loading state without any sanitization. If a developer using this package passes unvalidated user input directly into the `repo` prop (for example, reading it from a URL query parameter), an attacker can execute arbitrary JavaScript in the context of the user's browser. In version 1.0.1, the use of dangerouslySetInnerHTML has been removed, and the repo prop is now safely rendered using standard React JSX data binding, which automatically escapes HTML entities.
Published: 2026-02-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side code execution via reflected XSS
Action: Patch Now
AI Analysis

Impact

The vulnerability stems from the RepoCard component rendering the repository name through React's dangerouslySetInnerHTML during its loading state. Because the component does not sanitize the repo prop, an attacker can supply arbitrary HTML or JavaScript, such as via a URL query parameter, that will be executed in the context of any user who loads the page. This allows an attacker to steal session cookies, hijack user sessions, or otherwise compromise the integrity and confidentiality of the client’s browser session. The weakness is a classic reflected cross‑site scripting flaw noted as CWE‑79. The impact is strictly client‑side and does not affect the server or the underlying GitHub data.

Affected Systems

The software affected is denpiligrim repostat. Any usage of the RepoCard component in versions prior to 1.0.1 is vulnerable. The component’s vulnerability is tied specifically to the handling of the repo prop. All installations of repostat that pull older versions, whether from npm, yarn, or direct repository, are at risk until they upgrade to v1.0.1 or later.

Risk and Exploitability

The CVSS score of 6.1 classifies the issue as moderate severity, while the EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. The most likely exploitation scenario involves a malicious link that includes a crafted repo query parameter; a user clicking the link would trigger the XSS payload. No elevated privileges are required, but the attacker must convince a user to visit the crafted URL. The affected scope is limited to the affected client’s browser session, but the consequences can be severe if the page holds sensitive information or authentication cookies.

Generated by OpenCVE AI on April 17, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the repostat package to version 1.0.1 or later, which removes the use of dangerouslySetInnerHTML.
  • If an upgrade is not immediately possible, refactor any instances of RepoCard to eliminate dangerouslySetInnerHTML and validate or sanitize the repo prop before rendering, for example by escaping HTML entities or using a whitelisted format.
  • Conduct a client‑side security audit to identify any remaining unsanitized inputs that could still lead to reflected XSS within your application.

Generated by OpenCVE AI on April 17, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fm8c-6m29-rp6j repostat: Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard
History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:denpiligrim:repostat:*:*:*:*:*:node.js:*:*

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Denpiligrim
Denpiligrim repostat
Vendors & Products Denpiligrim
Denpiligrim repostat

Wed, 25 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description Repostat is a React component to fetch and display GitHub repository info. Prior to version 1.0.1, the `RepoCard` component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occurs because the component uses React's `dangerouslySetInnerHTML` to render the repository name (`repo` prop) during the loading state without any sanitization. If a developer using this package passes unvalidated user input directly into the `repo` prop (for example, reading it from a URL query parameter), an attacker can execute arbitrary JavaScript in the context of the user's browser. In version 1.0.1, the use of dangerouslySetInnerHTML has been removed, and the repo prop is now safely rendered using standard React JSX data binding, which automatically escapes HTML entities.
Title Repostat Vulnerable to Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Denpiligrim Repostat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T21:33:40.838Z

Reserved: 2026-02-20T19:43:14.602Z

Link: CVE-2026-27612

cve-icon Vulnrichment

Updated: 2026-02-26T20:58:39.420Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T03:16:05.627

Modified: 2026-02-27T19:08:59.367

Link: CVE-2026-27612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses