{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2825", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-19T17:24:48.104Z", "datePublished": "2026-02-20T06:02:06.763Z", "dateUpdated": "2026-02-23T10:31:15.505Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:31:15.505Z"}, "title": "rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "rachelos", "product": "WeRSS we-mp-rss", "versions": [{"version": "1.4.0", "status": "affected"}, {"version": "1.4.1", "status": "affected"}, {"version": "1.4.2", "status": "affected"}, {"version": "1.4.3", "status": "affected"}, {"version": "1.4.4", "status": "affected"}, {"version": "1.4.5", "status": "affected"}, {"version": "1.4.6", "status": "affected"}, {"version": "1.4.7", "status": "affected"}, {"version": "1.4.8", "status": "affected"}], "modules": ["Article Module"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-19T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-22T08:50:35.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "din4 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.346950", "name": "VDB-346950 | rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346950", "name": "VDB-346950 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.753879", "name": "Submit #753879 | rachelos WeRSS WeRSS<=1.4.8 Stored Cross-Site Scripting (XSS)", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/WeRSS-Stored-Cross-Site-Scripting-XSS-in-Article-module-300ea92a3c4180be87dffca6b47d17f7", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T14:10:44.903926Z", "id": "CVE-2026-2825", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T14:11:58.263Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2825", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T14:10:44.903926Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T14:11:53.490Z"}}], "cna": {"title": "rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "din4 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "rachelos", "modules": ["Article Module"], "product": "WeRSS we-mp-rss", "versions": [{"status": "affected", "version": "1.4.0"}, {"status": "affected", "version": "1.4.1"}, {"status": "affected", "version": "1.4.2"}, {"status": "affected", "version": "1.4.3"}, {"status": "affected", "version": "1.4.4"}, {"status": "affected", "version": "1.4.5"}, {"status": "affected", "version": "1.4.6"}, {"status": "affected", "version": "1.4.7"}, {"status": "affected", "version": "1.4.8"}]}], "timeline": [{"lang": "en", "time": "2026-02-19T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-19T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-22T08:50:35.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.346950", "name": "VDB-346950 | rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346950", "name": "VDB-346950 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.753879", "name": "Submit #753879 | rachelos WeRSS WeRSS<=1.4.8 Stored Cross-Site Scripting (XSS)", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/WeRSS-Stored-Cross-Site-Scripting-XSS-in-Article-module-300ea92a3c4180be87dffca6b47d17f7", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:31:15.505Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2825", "state": "PUBLISHED", "dateUpdated": "2026-02-23T10:31:15.505Z", "dateReserved": "2026-02-19T17:24:48.104Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-20T06:02:06.763Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en rachelos WeRSS we-mp-rss hasta 1.4.8. Esto impacta a la funci\u00f3n fix_html del archivo tools/fix.py del componente M\u00f3dulo de Art\u00edculo. La manipulaci\u00f3n provoca un cross site scripting. Es posible iniciar el ataque en remoto. El exploit ha sido divulgado al p\u00fablico y puede ser usado."}], "id": "CVE-2026-2825", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-20T07:16:42.470", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.346950"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.346950"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.753879"}, {"source": "cna@vuldb.com", "url": "https://www.notion.so/WeRSS-Stored-Cross-Site-Scripting-XSS-in-Article-module-300ea92a3c4180be87dffca6b47d17f7"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.4.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.4.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.4.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.4.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.4.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.4.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.4.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.4.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.4.8"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WeRSS we-mp-rss", "source": "cna", "vendor": "rachelos"}, "product": "werss_we-mp-rss", "vendor": "rachelos"}], "analysis": {"en": {"generated_at": "2026-04-17T17:29:52.986273+00:00", "value": {"mitigation_remediation": ["Upgrade to a version newer than 1.4.8 that contains an official patch for the Article module.", "If an immediate upgrade is not feasible, apply server\u2011side output encoding to all article content, ensuring that user input is properly sanitized before rendering.", "Deploy a Content Security Policy that restricts inline script execution and disallows unsafe-eval to reduce the impact of any remaining XSS payloads."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects the WeRSS we\u2011mp\u2011rss product from rachelos, specifically any release up to version 1.4.8. All deployments that include the Article module and its fix_html helper in these versions are susceptible to the stored XSS exposure.", "description_and_impact": "This vulnerability arises from improper handling of user content in the Article module\u2019s fix_html function, allowing an attacker to inject malicious script code that is permanently stored and rendered in later page views. The direct result is a Stored Cross\u2011Site Scripting flaw that can compromise user browsers, steal session cookies, or execute arbitrary code within the site context. The description indicates that exploitation is possible from a remote location, and the exploit has already been publicly disclosed and is known to be usable.", "risk_and_exploitability": "The CVSS score of 5.1 places this vulnerability in the moderate category, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog, but because the flaw permits remote code execution via stored script payloads and has already been publicly disclosed, organizations should not dismiss it as insignificant. The primary attack vector is remote, likely delivered through crafted article submissions that leverage the unescaped output of the fix_html function."}}}}, "created": "2026-02-20T09:52:36.352696+00:00", "updated": "2026-04-17T17:30:23.871313+00:00", "vendors": ["rachelos", "rachelos$PRODUCT$werss_we-mp-rss"]}