craftcms/cms is vulnerable to Cross-site Scripting (XSS). The vulnerability exists in the body.twig
and links.twig
due to the improper sanitization in the text
attribute, which allows an attacker to inject and execute malicious javascript through the RSS feed.