{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-12T08:46:14.508","vulnerabilities":[{"cve":{"id":"CVE-2021-21278","sourceIdentifier":"security-advisories@github.com","published":"2021-01-26T21:15:12.673","lastModified":"2024-11-21T05:47:55.097","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"RSSHub is an open source, easy to use, and extensible RSS feed generator. In RSSHub before version 7f1c430 (non-semantic versioning) there is a risk of code injection. Some routes use `eval` or `Function constructor`, which may be injected by the target site with unsafe code, causing server-side security issues The fix in version 7f1c430 is to temporarily remove the problematic route and added a `no-new-func` rule to eslint."},{"lang":"es","value":"RSSHub es un generador de fuentes RSS extensible, fácil de usar y de código abierto. En RSSHub versiones anteriores a 7f1c430 (versionado no semántico) se presenta el riesgo de inyección de código. Algunas rutas usan \"eval\" o \"Function constructor\", que pueden ser inyectadas por el sitio objetivo con código no seguro, causando problemas de seguridad en el lado del servidor. La corrección en la versión 7f1c430 es eliminar temporalmente la ruta problemática y agregar una regla \"no-new-func\" para eslint"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-74"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:rsshub:rsshub:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2021-01-25","matchCriteriaId":"96307B03-5B1C-4DDC-8E20-E299DE0697A3"}]}]}],"references":[{"url":"https://github.com/DIYgod/RSSHub/commit/7f1c43094e8a82e4d8f036ff7d42568fed00699d","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/DIYgod/RSSHub/security/advisories/GHSA-pgjj-866w-fc5c","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://www.npmjs.com/package/rsshub","source":"security-advisories@github.com","tags":["Product","Third Party Advisory"]},{"url":"https://github.com/DIYgod/RSSHub/commit/7f1c43094e8a82e4d8f036ff7d42568fed00699d","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/DIYgod/RSSHub/security/advisories/GHSA-pgjj-866w-fc5c","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://www.npmjs.com/package/rsshub","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product","Third Party Advisory"]}]}}]}