CVE-2026-35208 lichess.org has an Unsanitized Stream Title Injection on /streamer

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is...

Lichess: Unauthorized Blogs Creation

A vulnerability was identified on the lichess.org website that allowed unauthorized blog creation. By manipulating certain requests and leveraging the session cookies of a different account, an attacker could bypass account-specific limitations and create a blog post on an account that was not ye...