CVE-2023-26491

RSSHub is vulnerable to cross-site scripting (XSS) via unvalidated URL parameters

Description

RSSHub is an open source and extensible RSS feed generator. When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. This vulnerability was fixed in version c910c4d28717fb860fbe064736641f379fab2c91. Please upgrade to this or a later version, there are no known workarounds.

Category

5.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.31%
Vendor Advisory github.com
Affected: DIYgod RSSHub
Published at:
Updated at:

References

Link Tags
https://github.com/DIYgod/RSSHub/security/advisories/GHSA-32gr-4cq6-5w5q patch vendor advisory
https://github.com/DIYgod/RSSHub/commit/c910c4d28717fb860fbe064736641f379fab2c91 patch

Frequently Asked Questions

What is the severity of CVE-2023-26491?
CVE-2023-26491 has been scored as a medium severity vulnerability.
How to fix CVE-2023-26491?
To fix CVE-2023-26491, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-26491 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-26491 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-26491?
CVE-2023-26491 affects DIYgod RSSHub.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.