CVE-2026-35208 — lichess.org is the forever free, adless and open source chess server. Any…

/HIGH
CVE Notify vulnerabilitycvetools
CVE-2026-35208 — lichess.org is the forever free, adless and open source chess server. Any…

Image via opengraph.githubassets.com

🚨 CVE-2026-35208 lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but

don't treat external stream titles as HTML · lichess-org/lila@0d50026
github.com

What This Means For You

  • New vulnerability disclosed — verify if your stack is exposed.
  • New tool or resource available — evaluate for your security workflow.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1564.004 Hide Artifacts: Masquerading Defense Evasion T1071.001 Web Protocols: Web Protocols Command and Control

Indicators of Compromise

IDTypeIndicator
CVE-2026-35208 HTML Injection lichess.org: Arbitrary HTML injection into /streamer and homepage 'Live streams' widget via Twitch/YouTube stream title. Vulnerable component: Streamer profile processing. Fixed by commit 0d5002696ae705e1888bf77de107c73de57bb1b3.
CVE-2026-35208 Server-Side Injection lichess.org: Server-side HTML injection sink in streamer stream titles. Affects: Approved streamers. Triggered by placing markup in Twitch/YouTube stream titles.
🔎
Turn this CVE into SIEM detection coverage Generate detection rules for Splunk, Sentinel, QRadar & Elastic — straight from this vulnerability. Use /detect in the Intel Bot.
Open Intel Bot →
Source & Attribution
Source PlatformTelegram
ChannelCVE Notify
PublishedApril 07, 2026 at 00:26 UTC

This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Ubiquiti Patches Three Max Severity UniFi OS Vulnerabilities

Ubiquiti has rolled out critical security updates addressing three maximum severity vulnerabilities in UniFi OS. BleepingComputer reports these flaws, tracked as CVE-2023-48092, CVE-2023-48093, and CVE-2023-48094,...

threat-inteldata-breachmalwarevulnerabilitytools
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 1 Sigma

Megalodon GitHub Attack: 5,561 Repos Hit with Malicious CI/CD Workflows

The Hacker News reports a new automated campaign, dubbed Megalodon, that injected 5,718 malicious commits into 5,561 GitHub repositories within a mere six-hour window. This...

threat-intelvulnerabilitytools
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 3 Sigma

WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content

CVE-2026-9011 — The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs