GHSA-3V85-FQVH-7RXF: Stored Cross-Site Scripting in Ech0 RSS Feed Generation
Vulnerability ID: GHSA-3V85-FQVH-7RXF
CVSS Score: 5.3
Published: 2026-05-07
A stored Cross-Site Scripting (XSS) vulnerability exists in the Ech0 project's RSS feed generation component. The application fails to properly escape user-supplied tags and Markdown content before reflecting them in the /rss endpoint, allowing arbitrary JavaScript execution in vulnerable RSS readers.
TL;DR
Ech0 renders unescaped user input into its public RSS feed, permitting stored XSS attacks when users read the feed.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS Score: 5.3
- Impact: Stored Cross-Site Scripting
- Exploit Status: Proof-of-Concept
- Authentication Required: Yes (to post/tag)
Affected Systems
- Ech0 Syndication Endpoint (/rss)
-
Ech0: All versions prior to fix commit fd320fe3 (Fixed in:
fd320fe3e9021c8d8d284fb274775c018690520e)
Code Analysis
Commit: fd320fe
Fix: Implement HTML escaping for tag names and strip HTML during Markdown processing.
Mitigation Strategies
- Update Ech0 to a version containing the patch commit fd320fe3e9021c8d8d284fb274775c018690520e.
- Implement Web Application Firewall (WAF) rules to filter HTML entity injection at the creation endpoint.
- Audit downstream RSS reader configurations to ensure strict handling of HTML types within syndication feeds.
Remediation Steps:
- Identify the deployed version of the Ech0 application.
- Review the codebase or container image to determine if commit fd320fe3 is included.
- Pull the latest update from the upstream repository or apply the patch manually.
- Restart the application to enforce the new parsing and encoding logic.
- Purge existing malicious posts or tags from the database to ensure clean syndication feeds.
References
Read the full report for GHSA-3V85-FQVH-7RXF on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)