CVE-2026-2825
Received Received - Intake
Cross-Site Scripting in rachelos WeRSS Article Module

Publication date: 2026-02-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2825
EUVD
EUVD-2026-7618
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rachelos we_mprss to 1.4.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2825 is a Stored Cross-Site Scripting (XSS) vulnerability found in WeRSS versions up to and including 1.4.8. It exists in the function fix_html within the file tools/fix.py of the Article module.

The vulnerability arises because user-controllable input is not properly sanitized before being included in web page output. This allows authenticated users to inject malicious scripts that are stored and later executed when other users view the affected content.

The issue enables remote attackers to perform cross-site scripting attacks by manipulating input, potentially compromising data integrity and user interaction.

Impact Analysis

This vulnerability can allow attackers to inject and execute malicious scripts in the context of other users viewing the affected content, leading to cross-site scripting attacks.

Such attacks can compromise user data, hijack user sessions, deface web content, or redirect users to malicious sites.

Because the exploit is remotely executable and requires user interaction, it poses a risk to the integrity and security of the affected application and its users.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in WeRSS versions up to 1.4.8, specifically in the fix_html function of tools/fix.py. Detection typically involves identifying malicious script injections in the content processed by the Article module.

Since the vulnerability involves stored XSS, detection on your system may include reviewing logs or database entries for suspicious script tags or unusual HTML content in user-submitted data.

No specific detection commands or tools are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps are not explicitly detailed in the provided resources.

The vulnerability is fixed by modifying the fix_html function in tools/fix.py to properly sanitize content and prevent cross-site scripting.

Since no known countermeasures or mitigations are identified, it is suggested to consider replacing the affected product with an alternative or applying the official fix if available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2825. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart