Platform
javascript
Component
lila
Fixed in
0.0.1
CVE-2026-35208 represents a server-side HTML injection vulnerability within the Lila Chess Server, specifically affecting approved streamers. This allows malicious actors to inject arbitrary HTML into the /streamer page and the “Live streams” widget on the homepage, potentially leading to content manipulation and user experience degradation. The vulnerability impacts Lichess Chess Server versions up to and including 0d5002696ae705e1888bf77de107c73de57bb1b3, but a patch is available in version 0d5002696ae705e1888bf77de107c73de57bb1b3.
CVE-2026-35208 in Lichess allows approved streamers to inject arbitrary HTML into the /streamer pages and the “Live streams” widget on the homepage. This is achieved by manipulating their stream titles on Twitch or YouTube. While Lichess implements a Content Security Policy (CSP) that blocks inline script execution, the vulnerability persists as a server-side HTML injection sink. An attacker needs a Lichess account that meets the standard streamer requirements and gets approved, meaning the account needs to be older (as per Streamer.canApply). HTML injection can be used to display malicious content, redirect users to unwanted websites, or perform other harmful actions within the context of Lichess.
A malicious streamer can exploit this vulnerability to inject HTML into the stream page and the live streams widget on the Lichess homepage. The attacker needs an approved streamer account. Once approved, the streamer can manipulate their stream title on Twitch or YouTube to include malicious HTML code. This HTML code will be rendered on the /streamer page and in the live streams widget, potentially affecting users visiting these pages. The CSP blocks script execution, but allows HTML injection, enabling visual manipulation and potentially redirection.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
Lichess has implemented a fix (commit 0d5002696ae705e1888bf77de107c73de57bb1b3) to address this vulnerability. The primary mitigation involves more robust validation and sanitization of stream titles before they are included in web pages. Users of Lichess are advised to ensure they are using the latest version of the website to benefit from this fix. Streamers are also advised to avoid including potentially harmful or unwanted content in their stream titles, as a precautionary measure, even after the vulnerability has been patched. The Lichess team continues to monitor and improve the platform's security.
Actualizar a la versión 0d5002696ae705e1888bf77de107c73de57bb1b3 o superior para evitar la inyección de HTML no sanitizado en los títulos de los streams y el widget de streams en vivo. La actualización corrige la forma en que Lichess maneja los títulos de los streams, asegurando que el HTML inyectado sea correctamente sanitizado antes de ser renderizado en la interfaz de usuario.
Vulnerability analysis and critical alerts directly to your inbox.
It's an identifier for a security vulnerability in Lichess that allows arbitrary HTML injection.
It could result in the display of unwanted or potentially malicious content on stream pages and the live streams widget.
Yes, Lichess has released a fix to address this vulnerability. Ensure you are using the latest version of the website.
Ensure your browser is updated and use the latest version of Lichess. Be cautious of suspicious links you find on the stream page.
No, it is not necessary to create a new account. The fix is applied to all users using the latest version of Lichess.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.