CVE-2026-27612: repostat: Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard

February 25, 2026

The RepoCard component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occurs because the component uses React’s dangerouslySetInnerHTML to render the repository name (repo prop) during the loading state without any sanitization.

If a developer using this package passes unvalidated user input directly into the repo prop (for example, reading it from a URL query parameter), an attacker can execute arbitrary JavaScript in the context of the user’s browser.

References

github.com/advisories/GHSA-fm8c-6m29-rp6j
github.com/denpiligrim/repostat
github.com/denpiligrim/repostat/commit/715df5f73359d222fd7876e948d14290180e3c88
github.com/denpiligrim/repostat/security/advisories/GHSA-fm8c-6m29-rp6j
nvd.nist.gov/vuln/detail/CVE-2026-27612

Code Behaviors & Features

Detect and mitigate CVE-2026-27612 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →