Home

Description

A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PUBLISHED Reserved 2026-02-19 | Published 2026-02-20 | Updated 2026-02-23 | Assigner VulDB




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
LOW: 3.5CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
4.0AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR

Problem types

Cross Site Scripting

Code Injection

Product status

1.4.0
affected

1.4.1
affected

1.4.2
affected

1.4.3
affected

1.4.4
affected

1.4.5
affected

1.4.6
affected

1.4.7
affected

1.4.8
affected

Timeline

2026-02-19:Advisory disclosed
2026-02-19:VulDB entry created
2026-02-22:VulDB entry last update

Credits

din4 (VulDB User) reporter

References

vuldb.com/?id.346950 (VDB-346950 | rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting) vdb-entry technical-description

vuldb.com/?ctiid.346950 (VDB-346950 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.753879 (Submit #753879 | rachelos WeRSS WeRSS<=1.4.8 Stored Cross-Site Scripting (XSS)) third-party-advisory

www.notion.so/...cle-module-300ea92a3c4180be87dffca6b47d17f7 exploit

cve.org (CVE-2026-2825)

nvd.nist.gov (CVE-2026-2825)

Download JSON