XSS in Lichess-org Lila

CVE-2026-35208

lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage “Live streams” widget by placing markup in their Twitch/YouTube stream title. CSP is pres…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (12.0th percentile) — read the EPSS interpretation.

Affected products

Lichess-org Lila — versions < 0d5002696ae705e1888bf77de107c73de57bb1b3

Weakness classification (CWE)

References

https://github.com/lichess-org/lila/security/advisories/GHSA-v7gh-939r-pfjq (x_refsource_CONFIRM)
https://github.com/lichess-org/lila/commit/0d5002696ae705e1888bf77de107c73de57bb1b3 (x_refsource_MISC)
https://vimeo.com/1175908262 (x_refsource_MISC)