26 matches found
CVE-2026-35208
lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...
CVE-2026-35208
CVE-2026-35208 affects lichess.org: an Unsanitized Stream Title Injection occurs in the streamer workflow where approved streamers can inject HTML into the /streamer page and the Live streams widget by providing a title, which is rendered in the UI as-is. CSP blocks inline scripts, but the vulner...
CVE-2026-35208 lichess.org has an Unsanitized Stream Title Injection on /streamer
lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...
lila 安全漏洞
Lila is an ad-free and open-source chess server developed by Lichess. Lila has a security vulnerability that stems from allowing approved hosts to inject arbitrary HTML, which may lead to server-side HTML injection attacks...
CVE-2025-52186
Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c 2025-06-02 contains a Server-Side Request Forgery SSRF vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to...
EUVD-2025-175319
Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c 2025-06-02 contains a Server-Side Request Forgery SSRF vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to...
CVE-2025-52186
Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c 2025-06-02 contains a Server-Side Request Forgery SSRF vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to...
CVE-2025-52186
Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c 2025-06-02 contains a Server-Side Request Forgery SSRF vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to...
CVE-2025-52186
Summary: CVE-2025-52186 affects Lichess Lila (before commit 11b4c0fb00f0ffd823246f839627005459c8f05c) with a Server-Side Request Forgery (SSRF) in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing a remote attacker to compel the ...
PT-2025-46842
🚨 CVE-2025-52186 Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c 2025-06-02 contains a Server-Side Request Forgery SSRF vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to...
CVE-2025-52186
Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c 2025-06-02 contains a Server-Side Request Forgery SSRF vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to...
CVE-2025-52186
Lichess lila before commit 11b4c0fb00f0ffd823246f839627005459c8f05c 2025-06-02 contains a Server-Side Request Forgery SSRF vulnerability in the game export API. The players parameter is passed directly to an internal HTTP client without validation, allowing remote attackers to force the server to...
EUVD-2025-15174
Malicious code in bioql PyPI...
Lichess: CSRF at Network feature
A CSRF vulnerability was found in the network feature, where an attacker could change the Network Routing settings by sending a CSRF script to the victim...
Malicious code in lichess-db (npm)
The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 475d752d815f7e78b4625da2eea3b8f39eab9a81a1fd93dd56d2d3aab31c379f Any computer that has this package installed or running should be considered...
Lichess: ImageId Format Injection in Image Upload Endpoint
The image upload endpoint in the Lichess application did not properly validate the 'rel' parameter, allowing an attacker to inject special characters that broke the expected format of the generated ImageId. This could have led to parsing issues in other parts of the application that relied on the...
Lichess: Server-Side Request Forgery (SSRF) via Game Export API
The Lichess game export API was found to be vulnerable to Server-Side Request Forgery SSRF due to insufficient input validation of the "players" parameter. This allowed an attacker to make the Lichess server send arbitrary HTTP requests to external URLs, potentially exposing sensitive information...
Lichess: Improper Authentication Throttling Allows Attacker-Controlled Account Lockouts
The application lacks sufficient safeguards in its authentication throttling logic. It permits arbitrary users to trigger lockouts on any account by submitting multiple failed login attempts using a known or guessed username. Because the system does not verify the request origin or impose...
CVE-2025-48051
powertip.ts in Lila for Lichess before ab0beaf allows XSS in some applications because of an innerHTML usage pattern in which text is extracted from a DOM node and interpreted as HTML...
CVE-2025-48051
powertip.ts in Lila for Lichess before ab0beaf allows XSS in some applications because of an innerHTML usage pattern in which text is extracted from a DOM node and interpreted as HTML...