RSSHub is vulnerable to cross-site scripting (XSS) via unvalidated URL parameters
Description
RSSHub has a reflected XSS vulnerability in URL parameters, allowing arbitrary JavaScript execution via crafted links.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RSSHub has a reflected XSS vulnerability in URL parameters, allowing arbitrary JavaScript execution via crafted links.
CVE-2023-26491 is a reflected cross-site scripting (XSS) vulnerability in RSSHub, an open-source RSS feed generator. When URL parameters contain special characters, the error page reflects the input without proper sanitization, enabling injection of arbitrary JavaScript [1][2].
The attack vector is through a crafted URL with malicious code in parameters such as brief. No authentication is required; any user who clicks the link is affected [4]. The vulnerability is triggered on the error page, which does not escape the input.
Successful exploitation allows execution of JavaScript in the victim's browser context. This can lead to data theft, session hijacking, or other malicious actions performed on behalf of the user [2].
The vulnerability was fixed in commit c910c4d. Users should upgrade to the latest version. No workarounds are available [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rsshubnpm | < 1.0.0-master.c910c4d | 1.0.0-master.c910c4d |
Affected products
2Patches
1c910c4d28717fix: brief parameter xss vulnerability
1 file changed · +1 −1
lib/middleware/parameter.js+1 −1 modified@@ -313,7 +313,7 @@ module.exports = async (ctx, next) => { } }); } else { - throw Error(`Invalid parameter <code>brief=${ctx.query.brief}</code>. Please check the doc https://docs.rsshub.app/parameter.html#shu-chu-jian-xun`); + throw Error(`Invalid parameter brief. Please check the doc https://docs.rsshub.app/parameter.html#shu-chu-jian-xun`); } }
Vulnerability mechanics
Root cause
"User-supplied input in the `brief` query parameter is interpolated into an HTML error message without sanitization, enabling reflected XSS."
Attack vector
An attacker crafts a URL containing a malicious `brief` parameter value with embedded HTML/JavaScript, such as `
Affected code
The vulnerability exists in `lib/middleware/parameter.js` at the error-throwing line for the `brief` parameter. The original code interpolated the user-supplied `ctx.query.brief` value directly into an HTML error message string without sanitization, creating a cross-site scripting (XSS) vector.
What the fix does
The patch removes the user-controlled `ctx.query.brief` value from the error message string, replacing it with the static text "Invalid parameter brief". This prevents any attacker-supplied HTML or JavaScript from being rendered in the error page, closing the XSS vulnerability [patch_id=1640971].
Preconditions
- inputThe attacker must craft a URL with a malicious `brief` query parameter containing HTML/JavaScript payload.
- networkThe victim must visit the crafted URL while RSSHub returns an error for the invalid `brief` parameter.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-32gr-4cq6-5w5qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26491ghsaADVISORY
- github.com/DIYgod/RSSHub/commit/c910c4d28717fb860fbe064736641f379fab2c91ghsax_refsource_MISCWEB
- github.com/DIYgod/RSSHub/security/advisories/GHSA-32gr-4cq6-5w5qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.