VYPR
← All advisories
Medium severityNVD Advisory· Published Nov 5, 2024· Updated Apr 15, 2026

CVE-2024-50346

CVE-2024-50346

Description

WebFeed is a lightweight web feed reader extension for Firefox/Chrome. Multiple HTML injection vulnerabilities in WebFeed can lead to CSRF and UI spoofing attacks. A remote attacker can provide malicious RSS feeds and attract the victim user to visit it using WebFeed. The attacker can then inject malicious HTML into the extension page and fool the victim into sending out HTTP requests to arbitrary sites with the victim's credentials. Users are vulnerable to CSRF attacks when visiting malicious RSS feeds via WebFeed. Unwanted actions could be executed on the user's behalf on arbitrary websites. This issue has been addressed in release version 0.9.2. All users are advised to upgrade. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WebFeed extension vulnerable to HTML injection via malicious RSS feeds, enabling CSRF and UI spoofing attacks; fixed in version 0.9.2.

Vulnerability

Multiple HTML injection vulnerabilities exist in the WebFeed browser extension, allowing an attacker to inject malicious HTML into extension pages when a user views a crafted RSS feed [1]. The root cause is the unsafe use of innerHTML to display feed titles, summaries, and other data without proper sanitization [1].

Exploitation

A remote attacker can host a malicious RSS feed containing injected HTML. When a victim using WebFeed subscribes to or views this feed, the malicious HTML executes within the extension's context [1]. This can be leveraged for cross-site request forgery (CSRF) attacks, where the victim is tricked into sending HTTP requests to arbitrary sites with their credentials, or for UI spoofing to mislead the user [1]. No additional authentication is required beyond the victim installing the extension.

Impact

Successful exploitation allows the attacker to perform actions on the victim's behalf on arbitrary websites (CSRF) and to present deceptive interfaces (UI spoofing), potentially leading to data theft or further compromise [1].

Mitigation

The issue has been addressed in WebFeed version 0.9.2, which replaces innerHTML assignments with safer alternatives like innerText and applies html2txt sanitization [2]. Users should upgrade to this version; there are no known workarounds [1].

References
  1. WebFeed HTML injection vulnerabilities leading to CSRF and UI spoofing
  2. Merge commit from fork · taoso/webfeed@a2d1c1c

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

1
a2d1c1c3a98f
https://github.com/taoso/webfeedvia osv
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.