CVE-2026-2825
Cross-Site Scripting in rachelos WeRSS Article Module
Publication date: 2026-02-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rachelos | we_mprss | to 1.4.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2825 is a Stored Cross-Site Scripting (XSS) vulnerability found in WeRSS versions up to and including 1.4.8. It exists in the function fix_html within the file tools/fix.py of the Article module.
The vulnerability arises because user-controllable input is not properly sanitized before being included in web page output. This allows authenticated users to inject malicious scripts that are stored and later executed when other users view the affected content.
The issue enables remote attackers to perform cross-site scripting attacks by manipulating input, potentially compromising data integrity and user interaction.
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject and execute malicious scripts in the context of other users viewing the affected content, leading to cross-site scripting attacks.
Such attacks can compromise user data, hijack user sessions, deface web content, or redirect users to malicious sites.
Because the exploit is remotely executable and requires user interaction, it poses a risk to the integrity and security of the affected application and its users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in WeRSS versions up to 1.4.8, specifically in the fix_html function of tools/fix.py. Detection typically involves identifying malicious script injections in the content processed by the Article module.
Since the vulnerability involves stored XSS, detection on your system may include reviewing logs or database entries for suspicious script tags or unusual HTML content in user-submitted data.
No specific detection commands or tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps are not explicitly detailed in the provided resources.
The vulnerability is fixed by modifying the fix_html function in tools/fix.py to properly sanitize content and prevent cross-site scripting.
Since no known countermeasures or mitigations are identified, it is suggested to consider replacing the affected product with an alternative or applying the official fix if available.