CVE-2026-27701 HIGH

CVE-2026-27701: LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow

Vendor Live-Codes

Product livecodes

Weakness CWE-94 · Code injection

Published February 25, 2026

Last update February 27, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

Description

LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's `i18n-update-pull` GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated directly into a `actions/github-script` JavaScript block using a GitHub Actions template expression. An attacker who opens a PR with a crafted title can inject arbitrary JavaScript that executes with the privileges of the CI bot token (`CI_APP_ID` / `CI_APP_PRIVATE_KEY`), enabling exfiltration of repository secrets and unauthorized GitHub API operations. Commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 fixes the issue.

Key dates

Disclosure timeline

February 25, 2026 CVE published

February 27, 2026 Record updated

Identifiers

CVE CVE-2026-27701

CWE CWE-94

CVSS 8.8 / HIGH

Affected versions

Vendor Live-Codes

Product livecodes

Affected < e151c64c2bd80d2d53ac1333f1df9429fe6a1a11