Description
Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify, but the Reddit path skips both. Since this content ends up in `dangerouslySetInnerHTML` in the reader view, any malicious HTML in the Reddit response gets executed in the user's browser. Version 0.31.0 contains a patch for this issue.
Published: 2026-02-25
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Patch Now
AI Analysis

Impact

Karakeep's Reddit metascraper plugin bypasses DOMPurify sanitization, resulting in stored cross‑site scripting when malicious HTML is returned from Reddit. The vulnerable plugin forwards redditContentHtml directly into dangerouslySetInnerHTML in the reader view, a path protected by no sanitization. This constitutes a classic stored XSS weakness (CWE‑79) that allows an attacker to execute arbitrary client‑side code for any user viewing the affected content.

Affected Systems

The vulnerability affects Karakeep for version 0.30.0. The affected product is Karakeep, a locally‑hosted bookmark‑management application. The known CPE is cpe:2.3:a:localhostlabs:karakeep:0.30.0, and the vendor is listed as karakeep-app.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, and the EPSS score is below 1%, implying a very low, but non‑zero, likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Attackers can embed malicious scripts into Reddit posts that are parsed by the vulnerable plugin; when a user opens the Readable view, the browser executes the injected code. This results in client‑side compromise without requiring privileged system access, and can affect any user who views the affected Reddit content through Karakep.

Generated by OpenCVE AI on April 17, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Karakeep to version 0.31.0 or later, which restores DOMPurify sanitization for Reddit content.
  • If an upgrade is not yet possible, disable or remove the Reddit metascraper plugin to block the unfiltered content from being rendered.
  • Alternatively, configure the application to enforce sanitization on all crawled content or remove the use of dangerouslySetInnerHTML for rendered posts.

Generated by OpenCVE AI on April 17, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:localhostlabs:karakeep:0.30.0:*:*:*:*:node.js:*:* cpe:2.3:a:localhostlabs:karakeep:0.30.0:*:*:*:*:-:*:*

Fri, 27 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Localhostlabs
Localhostlabs karakeep
CPEs cpe:2.3:a:localhostlabs:karakeep:0.30.0:*:*:*:*:node.js:*:*
Vendors & Products Localhostlabs
Localhostlabs karakeep

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Karakeep
Karakeep karakeep
Vendors & Products Karakeep
Karakeep karakeep

Wed, 25 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns `readableContentHtml`, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify, but the Reddit path skips both. Since this content ends up in `dangerouslySetInnerHTML` in the reader view, any malicious HTML in the Reddit response gets executed in the user's browser. Version 0.31.0 contains a patch for this issue.
Title Karakeep's Reddit plugin content bypasses DOMPurify sanitization, enabling stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Karakeep Karakeep
Localhostlabs Karakeep
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:20:03.257Z

Reserved: 2026-02-20T22:02:30.027Z

Link: CVE-2026-27627

cve-icon Vulnrichment

Updated: 2026-02-25T21:19:58.400Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T04:16:03.757

Modified: 2026-03-10T18:51:43.750

Link: CVE-2026-27627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses