GHSA-3V85-FQVH-7RXF Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers

Summary The public RSS/Atom feed at /rss renders two attacker-controlled surfaces without HTML escaping. Tag names flow through fmt.AppendfrenderedContent, "%s", tag.Name at internal/service/common/common.go:120, and the Markdown renderer at internal/util/md/md.go does not set the html.SkipHTML...

CVE-2026-4197

The CVE-2026-4197 entry affects D-Link DNS-120 family devices (DNS-120, DNS-1200-05, DNS-1550-04, and others listed) and is tied to the function RSS_Get_Update_Status/RSS_Update/RSS_Channel_AutoDownlaod/RSS_Add/RSS_Channel_Item_Downlaod/RSS_History_Item_List/RSS_Item_List in the file /cgi-bin/dow...

CVE-2026-27645 changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response

changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the...

CVE-2025-62721 LinkAce: Authorization Bypass Allows Unauthorized Access to All Private Links, Lists, and Tags

LinkAce is a self-hosted archive to collect website links. In versions 2.3.1 and below, authenticated RSS feed endpoints in the FeedController class fail to implement proper authorization checks, allowing any authenticated user to access all links, lists, and tags from all users in the system,...

EUVD-2006-4749

Malware in sbrugna...

EUVD-2006-4748

Malware in sbrugna...

CVE-2025-57937 WordPress WPeMatico RSS Feed Fetcher Plugin <= 2.8.10 - Sensitive Data Exposure Vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in etruel WPeMatico RSS Feed Fetcher wpematico allows Retrieve Embedded Sensitive Data.This issue affects WPeMatico RSS Feed Fetcher: from n/a through = 2.8.10...

CVE-2025-57757 Contao discloses information in the news module

Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, if a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround...

UBUNTU-CVE-2022-29969

The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rss element if the feed is in $wgRSSUrlWhitelist and $wgRSSAllowLinkTag is true...

UBUNTU-CVE-2022-0093

An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab allows a user with an expired password to access sensitive information through RSS feeds...

CVE-2021-34484

creationtimestamp| type| source ---|---|--- 2021-10-29 18:59:00+00:00| exploited| https://t.me/truesecator/2270 2021-10-29 22:19:37+00:00| published-proof-of-concept| https://t.me/hackertrick/363 2021-10-30 14:34:03+00:00| exploited| https://t.me/NeKaspersky/1395 2021-11-10 23:12:02+00:00|...

Mozilla: JavaScript Execution via RSS in mailbox:// origin

It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via "View - Feed article - Website" or in the standard format of "View - Feed article - default format". This vulnerability affects Thunderbird 52.5.2...

Cybozu Garoon vulnerable to arbitrary script execution

Overview Cybozu Garoon, a groupware from Cybozu, contains a vulnerability that allows an attacker to execute an arbitrary script when a user views RSS feed. Yoshiki Kawada of LAC Little eArth Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the vendors under Information...

Unfixed XSS vulnerability at hack-gundem.com

Security researcher St@rExT, has submitted on 17/08/2007 a cross-site-scripting XSS vulnerability affecting hack-gundem.com, which at the time of submission ranked 1440836 on the web according to Alexa. We manually validated and published a mirror of this vulnerability on 21/08/2007. It is...

Unfixed XSS vulnerability at www.hack-medya.org

Security researcher St@rExT, has submitted on 01/04/2007 a cross-site-scripting XSS vulnerability affecting www.hack-medya.org, which at the time of submission ranked 344892 on the web according to Alexa. We manually validated and published a mirror of this vulnerability on 01/04/2007. It is...

CVE-2006-4761

Multiple cross-site scripting XSS vulnerabilities in Luke Hutteman SharpReader allow remote attackers to inject arbitrary web script or HTML via a web feed, as demonstrated by certain test cases of the Robert Auger and Caleb Sima RSS and Atom feed reader test suite...

CVE-2006-4760

Multiple cross-site scripting XSS vulnerabilities in Benjamin Pasero and Tobias Eichert RSSOwl allow remote attackers to inject arbitrary web script or HTML via a web feed, as demonstrated by certain test cases of the Robert Auger and Caleb Sima RSS and Atom feed reader test suite...

CVE-2006-4761

Affected software: SharpReader (Luke Hutteman) RSS/Atom feed reader. Vulnerability: Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary script/HTML via a web feed. Cause/scope: Exploitation demonstrated in test suites for RSS/Atom feeds; vulnerability re...

CVE-2006-4762

Technical details about CVE-2006-4762 are not publicly provided in the supplied documents. Monitor for updates from NVD/CVE listings; current records describe XSS in Ykoon RssReader but lack specific affected versions, vectors, root cause, or fixes.