CVE-2023-26491

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-26491

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26491.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-26491

Aliases

GHSA-32gr-4cq6-5w5q

Published

2023-03-03T22:41:37.230Z

Modified

2025-12-04T13:59:54.119765Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L CVSS Calculator

Summary

RSSHub is vulnerable to cross-site scripting (XSS) via unvalidated URL parameters

Details

RSSHub is an open source and extensible RSS feed generator. When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. This vulnerability was fixed in version c910c4d28717fb860fbe064736641f379fab2c91. Please upgrade to this or a later version, there are no known workarounds.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26491.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/diygod/rsshub

Affected ranges

Type: GIT
Repo: https://github.com/diygod/rsshub
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c910c4d28717fb860fbe064736641f379fab2c91

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26491.json"