Description
LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's `i18n-update-pull` GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated directly into a `actions/github-script` JavaScript block using a GitHub Actions template expression. An attacker who opens a PR with a crafted title can inject arbitrary JavaScript that executes with the privileges of the CI bot token (`CI_APP_ID` / `CI_APP_PRIVATE_KEY`), enabling exfiltration of repository secrets and unauthorized GitHub API operations. Commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 fixes the issue.
Published: 2026-02-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

LiveCodes’ i18n-update-pull GitHub Actions workflow injects the pull request title into a JavaScript block that runs under the CI bot token. This flaw allows an attacker to craft a PR title that contains arbitrary JavaScript, enabling the attacker to execute code with the privileges of the CI bot. The attacker can exfiltrate repository secrets, modify code, or perform unauthorized GitHub API operations, compromising confidentiality, integrity, and potentially availability of the affected repositories. The underlying weakness is described by CWE‑94, highlighting improper handling of untrusted input in code generation contexts.

Affected Systems

The affected product is LiveCodes (live-codes:livecodes). All releases that include the i18n‑update‑pull workflow before commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 contain the vulnerability. Upgrades to or later than that commit contain the fix.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, but the EPSS score of less than 1 % suggests that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to open a pull request; the attack vector is remote via GitHub’s web interface or API. If exploited, the attacker can leverage the CI bot’s token to gain full control over the repository, posing significant risk to any organization using the default workflow configuration.

Generated by OpenCVE AI on April 17, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the fix included in commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 or upgrade to a newer release of LiveCodes.
  • Disable or modify the i18n-update-pull workflow to avoid embedding unsanitized PR titles into a JavaScript execution context; replace the title interpolation with a safe method or escape the input.
  • Restrict the CI bot token’s permissions by revoking unnecessary scopes and enabling strict branch protection rules and mandatory pull request reviews before merges.

Generated by OpenCVE AI on April 17, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Live-codes
Live-codes livecodes
Vendors & Products Live-codes
Live-codes livecodes

Wed, 25 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's `i18n-update-pull` GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated directly into a `actions/github-script` JavaScript block using a GitHub Actions template expression. An attacker who opens a PR with a crafted title can inject arbitrary JavaScript that executes with the privileges of the CI bot token (`CI_APP_ID` / `CI_APP_PRIVATE_KEY`), enabling exfiltration of repository secrets and unauthorized GitHub API operations. Commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 fixes the issue.
Title LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Live-codes Livecodes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T17:00:20.183Z

Reserved: 2026-02-23T17:56:51.202Z

Link: CVE-2026-27701

cve-icon Vulnrichment

Updated: 2026-02-27T17:00:03.561Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T16:23:26.613

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses