HTML Parsing Vulnerability in Karakeep Application by Karakeep
CVE-2026-27627

8.2HIGH

Key Information:

Vendor

Karakeep-app

Status
Karakeep
Vendor
CVE Published:
25 February 2026

What is CVE-2026-27627?

The Karakeep application, a bookmark-everything app, suffers from a vulnerability in version 0.30.0. This flaw arises from the improper handling of HTML content returned by the Reddit metascraper plugin. Unlike other content sources processed through Readability and DOMPurify, the Reddit response is used directly, allowing malicious HTML to be executed in users' browsers via dangerouslySetInnerHTML. Users are strongly advised to upgrade to version 0.31.0, which addresses this security issue.

Affected Version(s)

karakeep = 0.30.0

References

https://github.com/karakeep-app/karakeep/security/advisor...
x_refsource_CONFIRM
https://github.com/karakeep-app/karakeep/commit/ba3db953c...
x_refsource_MISC
https://github.com/karakeep-app/karakeep/releases/tag/v0....
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.