{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2825", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-19T17:24:48.104Z", "datePublished": "2026-02-20T06:02:06.763Z", "dateUpdated": "2026-02-20T14:11:58.263Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-20T06:02:06.763Z"}, "title": "rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "rachelos", "product": "WeRSS we-mp-rss", "versions": [{"version": "1.4.0", "status": "affected"}, {"version": "1.4.1", "status": "affected"}, {"version": "1.4.2", "status": "affected"}, {"version": "1.4.3", "status": "affected"}, {"version": "1.4.4", "status": "affected"}, {"version": "1.4.5", "status": "affected"}, {"version": "1.4.6", "status": "affected"}, {"version": "1.4.7", "status": "affected"}, {"version": "1.4.8", "status": "affected"}], "modules": ["Article Module"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-19T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-19T18:29:52.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "din4 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.346950", "name": "VDB-346950 | rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346950", "name": "VDB-346950 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.753879", "name": "Submit #753879 | rachelos WeRSS WeRSS<=1.4.8 Stored Cross-Site Scripting (XSS)", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/WeRSS-Stored-Cross-Site-Scripting-XSS-in-Article-module-300ea92a3c4180be87dffca6b47d17f7", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T14:10:44.903926Z", "id": "CVE-2026-2825", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T14:11:58.263Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2825", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T14:10:44.903926Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T14:11:53.490Z"}}], "cna": {"title": "rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "din4 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "rachelos", "modules": ["Article Module"], "product": "WeRSS we-mp-rss", "versions": [{"status": "affected", "version": "1.4.0"}, {"status": "affected", "version": "1.4.1"}, {"status": "affected", "version": "1.4.2"}, {"status": "affected", "version": "1.4.3"}, {"status": "affected", "version": "1.4.4"}, {"status": "affected", "version": "1.4.5"}, {"status": "affected", "version": "1.4.6"}, {"status": "affected", "version": "1.4.7"}, {"status": "affected", "version": "1.4.8"}]}], "timeline": [{"lang": "en", "time": "2026-02-19T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-19T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-19T18:29:52.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.346950", "name": "VDB-346950 | rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346950", "name": "VDB-346950 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.753879", "name": "Submit #753879 | rachelos WeRSS WeRSS<=1.4.8 Stored Cross-Site Scripting (XSS)", "tags": ["third-party-advisory"]}, {"url": "https://www.notion.so/WeRSS-Stored-Cross-Site-Scripting-XSS-in-Article-module-300ea92a3c4180be87dffca6b47d17f7", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-20T06:02:06.763Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2825", "state": "PUBLISHED", "dateUpdated": "2026-02-20T14:11:58.263Z", "dateReserved": "2026-02-19T17:24:48.104Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-20T06:02:06.763Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en rachelos WeRSS we-mp-rss hasta 1.4.8. Esto impacta a la funci\u00f3n fix_html del archivo tools/fix.py del componente M\u00f3dulo de Art\u00edculo. La manipulaci\u00f3n provoca un cross site scripting. Es posible iniciar el ataque en remoto. El exploit ha sido divulgado al p\u00fablico y puede ser usado."}], "id": "CVE-2026-2825", "lastModified": "2026-02-20T13:49:47.623", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-20T07:16:42.470", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.346950"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.346950"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.753879"}, {"source": "cna@vuldb.com", "url": "https://www.notion.so/WeRSS-Stored-Cross-Site-Scripting-XSS-in-Article-module-300ea92a3c4180be87dffca6b47d17f7"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"created": "2026-02-20T09:52:36.352696+00:00", "updated": "2026-02-20T09:52:36.352809+00:00", "vendors": ["rachelos", "rachelos$PRODUCT$werss_we-mp-rss"]}