Plataforma
javascript
Componente
livecodes
Corrigido em
151.0.1
CVE-2026-27701 describes a JavaScript injection vulnerability affecting LiveCode, an open-source client-side code playground. This vulnerability allows attackers to inject arbitrary JavaScript code into the CI/CD pipeline, potentially leading to sensitive data exfiltration. The vulnerability impacts versions of LiveCode prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11. A fix is available in version e151c64c2bd80d2d53ac1333f1df9429fe6a1a11.
The vulnerability lies within LiveCode's i18n-update-pull GitHub Actions workflow. Specifically, the Pull Request title is directly interpolated into a actions/github-script JavaScript block without proper sanitization. An attacker can craft a malicious Pull Request title containing JavaScript code. When this PR is processed by the CI/CD pipeline, the injected JavaScript executes with the privileges of the CI bot token. This token has access to the LiveCode repository, allowing an attacker to potentially exfiltrate sensitive data, such as API keys, credentials, or source code. The potential impact is significant, as it could compromise the entire repository and downstream systems relying on LiveCode.
This vulnerability was publicly disclosed on 2026-02-25. There is currently no indication that this vulnerability is being actively exploited in the wild. The vulnerability's exploitation requires a specific attack vector (crafting a malicious Pull Request), which may limit its immediate exploitability. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations and individuals using LiveCode, particularly those with public repositories and open contribution workflows, are at risk. Teams relying on the CI/CD pipeline for automated builds and deployments are especially vulnerable, as a compromised CI bot token could lead to widespread code contamination.
• javascript: Examine GitHub Actions workflow logs for unusual JavaScript execution within the i18n-update-pull workflow. Look for unexpected network requests or file modifications.
• github: Review recent Pull Requests for suspicious titles containing JavaScript-like syntax or unusual characters.
• github: Monitor the CI bot token's activity for unauthorized access to repository resources.
• javascript: If possible, inspect the generated actions/github-script code for injected JavaScript.
disclosure
Status do Exploit
EPSS
0.06% (percentil 19%)
CISA SSVC
The primary mitigation is to upgrade LiveCode to version e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 or later. This version includes a fix that properly sanitizes the Pull Request title before it is interpolated into the JavaScript block. As a temporary workaround, restrict access to the i18n-update-pull GitHub Actions workflow to trusted contributors only. Review all recent Pull Requests for suspicious titles. Consider implementing stricter code review processes to prevent the introduction of malicious code via PR titles. After upgrading, confirm the fix by attempting to create a Pull Request with a malicious title and verifying that the JavaScript is not executed.
Atualize LiveCodes para a versão e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 ou posterior. Esta versão corrige a vulnerabilidade de injeção de JavaScript no fluxo de trabalho `i18n-update-pull`.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-27701 is a JavaScript injection vulnerability in LiveCode versions before e151c64c2bd80d2d53ac1333f1df9429fe6a1a11. Attackers can inject malicious JavaScript via crafted Pull Request titles, potentially exfiltrating repository data.
You are affected if you are using LiveCode versions prior to e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 and accept Pull Requests.
Upgrade LiveCode to version e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 or later. Restrict access to the i18n-update-pull workflow as a temporary workaround.
There is currently no indication that CVE-2026-27701 is being actively exploited in the wild.
Refer to the LiveCode security advisories on their official website for the most up-to-date information regarding CVE-2026-27701.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.