CVE-2026-2825 - Vulnerability Details

- rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting

Description

A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Published: 2026-02-20

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability arises from improper handling of user content in the Article module’s fix_html function, allowing an attacker to inject malicious script code that is permanently stored and rendered in later page views. The direct result is a Stored Cross‑Site Scripting flaw that can compromise user browsers, steal session cookies, or execute arbitrary code within the site context. The description indicates that exploitation is possible from a remote location, and the exploit has already been publicly disclosed and is known to be usable.

Affected Systems

The flaw affects the WeRSS we‑mp‑rss product from rachelos, specifically any release up to version 1.4.8. All deployments that include the Article module and its fix_html helper in these versions are susceptible to the stored XSS exposure.

Risk and Exploitability

The CVSS score of 5.1 places this vulnerability in the moderate category, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog, but because the flaw permits remote code execution via stored script payloads and has already been publicly disclosed, organizations should not dismiss it as insignificant. The primary attack vector is remote, likely delivered through crafted article submissions that leverage the unescaped output of the fix_html function.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

rachelos

WeRSS we-mp-rss

affected

Version	Status	Constraints
`1.4.0`	affected	—
`1.4.1`	affected	—
`1.4.2`	affected	—
`1.4.3`	affected	—
`1.4.4`	affected	—
`1.4.5`	affected	—
`1.4.6`	affected	—
`1.4.7`	affected	—
`1.4.8`	affected	—

No data.

Vendor Product Confidence Versions

Rachelos

Werss We-mp-rss

100%

Version	Status	Scheme	Platform
`1.4.0`	affected	semver	—
`1.4.1`	affected	semver	—
`1.4.2`	affected	semver	—
`1.4.3`	affected	semver	—
`1.4.4`	affected	semver	—
`1.4.5`	affected	semver	—
`1.4.6`	affected	semver	—
`1.4.7`	affected	semver	—
`1.4.8`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a version newer than 1.4.8 that contains an official patch for the Article module.
If an immediate upgrade is not feasible, apply server‑side output encoding to all article content, ensuring that user input is properly sanitized before rendering.
Deploy a Content Security Policy that restricts inline script execution and disallows unsafe-eval to reduce the impact of any remaining XSS payloads.

Generated by OpenCVE AI on April 17, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://vuldb.com/?ctiid.346950
https://vuldb.com/?id.346950
https://vuldb.com/?submit.753879
https://www.notion.so/WeRSS-Stored-Cross-Site-Scripting-XSS-in-Article-module-300ea92a3c4180be87dffca6b47d17f7

History

Fri, 20 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rachelos Rachelos werss We-mp-rss
Vendors & Products		Rachelos Rachelos werss We-mp-rss

Fri, 20 Feb 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Title		rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://vuldb.com/?ctiid.346950 https://vuldb.com/?id.346950 https://vuldb.com/?submit.753879 https://www.notion.so/WeRSS-Stored-Cross-Site-Scripting-XSS-in-Article-module-300ea92a3c4180be87dffca6b47d17f7
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Rachelos Werss We-mp-rss

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-20T06:02:06.763Z

Updated: 2026-02-23T10:31:15.505Z

Reserved: 2026-02-19T17:24:48.104Z

Link: CVE-2026-2825

Vulnrichment

Updated: 2026-02-20T14:11:53.490Z

NVD

Status : Deferred

Published: 2026-02-20T07:16:42.470

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2825

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object