{"uuid": "8287e0be-e95e-4f8c-885a-978022ae620c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-3v85-fqvh-7rxf", "type": "seen", "source": "https://gist.github.com/alon710/8f139efaf98ab724348c38b11621f80e", "content": "# GHSA-3V85-FQVH-7RXF: GHSA-3V85-FQVH-7RXF: Stored Cross-Site Scripting in Ech0 RSS Feed Generation\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/GHSA-3V85-FQVH-7RXF\n\n## Summary\nA stored Cross-Site Scripting (XSS) vulnerability exists in the Ech0 project's RSS feed generation component. The application fails to properly escape user-supplied tags and Markdown content before reflecting them in the `/rss` endpoint, allowing arbitrary JavaScript execution in vulnerable RSS readers.\n\n## TL;DR\nEch0 renders unescaped user input into its public RSS feed, permitting stored XSS attacks when users read the feed.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79\n- **Attack Vector**: Network\n- **CVSS Score**: 5.3\n- **Impact**: Stored Cross-Site Scripting\n- **Exploit Status**: Proof-of-Concept\n- **Authentication Required**: Yes (to post/tag)\n\n## Affected Systems\n\n- Ech0 Syndication Endpoint (/rss)\n- **Ech0**: All versions prior to fix commit fd320fe3 (Fixed in: `fd320fe3e9021c8d8d284fb274775c018690520e`)\n\n## Mitigation\n\n- Update Ech0 to a version containing the patch commit fd320fe3e9021c8d8d284fb274775c018690520e.\n- Implement Web Application Firewall (WAF) rules to filter HTML entity injection at the creation endpoint.\n- Audit downstream RSS reader configurations to ensure strict handling of HTML types within syndication feeds.\n\n**Remediation Steps:**\n1. Identify the deployed version of the Ech0 application.\n2. Review the codebase or container image to determine if commit fd320fe3 is included.\n3. Pull the latest update from the upstream repository or apply the patch manually.\n4. Restart the application to enforce the new parsing and encoding logic.\n5. Purge existing malicious posts or tags from the database to ensure clean syndication feeds.\n\n## References\n\n- [GitHub Advisory](https://github.com/advisories/GHSA-3V85-FQVH-7RXF)\n- [OSV Listing](https://osv.dev/vulnerability/GHSA-3v85-fqvh-7rxf)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-3V85-FQVH-7RXF) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-08T16:10:29.000000Z"}