LOWCVE-2025-15454CVSS 3.1

CVE-2025-15454: XSS in lettura React Component

Platform

react

Component

cba7c19a4eafcb326d0e912adf132be3

Fixed in

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.1.23

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.18

0.1.19

0.1.20

0.1.21

0.1.22

0.1.23

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

A cross-site scripting (XSS) vulnerability has been identified in lettura, a React component, affecting versions 0.1.0 through 0.1.22. This vulnerability allows remote attackers to inject malicious scripts by manipulating the RSS Handler component. The issue stems from improper handling of data within the ContentRender.tsx file. A patch, version 0.1.23, has been released to address this security concern.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-15454 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the application, and theft of sensitive user data. The attacker could potentially gain access to user credentials, personal information, or other confidential data stored within the application. Given the component's role in handling RSS feeds, an attacker could inject malicious scripts into these feeds, impacting all users who consume them. The public availability of the exploit increases the risk of widespread exploitation.

Exploitation Context

The exploit for CVE-2025-15454 is publicly available, indicating a higher risk of exploitation. The vulnerability's CVSS score is LOW, suggesting that exploitation may require some level of attacker skill or specific conditions. As of the publication date, there is no indication of this vulnerability being actively exploited in the wild, but the public availability of the exploit warrants immediate attention and remediation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.01% (3% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

CVSS Vector

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.

Affected Software

Componentcba7c19a4eafcb326d0e912adf132be3

Vendorzhanglun

Affected rangeFixed in

0.1.0 – 0.1.00.1.1

0.1.1 – 0.1.10.1.2

0.1.2 – 0.1.20.1.3

0.1.3 – 0.1.30.1.4

0.1.4 – 0.1.40.1.5

0.1.5 – 0.1.50.1.6

0.1.6 – 0.1.60.1.7

0.1.7 – 0.1.70.1.8

0.1.8 – 0.1.80.1.9

0.1.9 – 0.1.90.1.23

0.1.10 – 0.1.100.1.11

0.1.11 – 0.1.110.1.12

0.1.12 – 0.1.120.1.13

0.1.13 – 0.1.130.1.14

0.1.14 – 0.1.140.1.15

0.1.15 – 0.1.150.1.16

0.1.16 – 0.1.160.1.17

0.1.17 – 0.1.170.1.18

0.1.18 – 0.1.180.1.19

0.1.19 – 0.1.190.1.20

0.1.20 – 0.1.200.1.21

0.1.21 – 0.1.210.1.22

0.1.22 – 0.1.220.1.23

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2026-01-04
Published2026-01-05
Modified2026-02-23
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-15454 is to upgrade to version 0.1.23 of lettura. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the RSS Handler component to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Carefully review and sanitize any data received from external sources, particularly RSS feeds, to prevent malicious scripts from being injected. After upgrading, confirm the fix by attempting to inject a simple XSS payload through the RSS feed and verifying that it is properly sanitized.

How to fix

Update the version of lettura to version 0.1.23 or higher. This corrects the cross-site scripting (Cross-Site Scripting) vulnerability in the RSS Handler component. The update can be performed by replacing the file src/components/ArticleView/ContentRender.tsx with the patched version.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-15454 — XSS in lettura React Component?

CVE-2025-15454 is a cross-site scripting (XSS) vulnerability affecting versions 0.1.0–0.1.22 of the lettura React component, allowing remote code execution.

Am I affected by CVE-2025-15454 in lettura React Component?

You are affected if your application uses lettura versions 0.1.0 through 0.1.22 and handles RSS feeds without proper input sanitization.

How do I fix CVE-2025-15454 in lettura React Component?

Upgrade to version 0.1.23 of lettura. Implement input validation and output encoding as a temporary workaround if upgrading is not immediately possible.

Is CVE-2025-15454 being actively exploited?

While there's no confirmed active exploitation, the public availability of the exploit increases the risk of future attacks.

Where can I find the official lettura advisory for CVE-2025-15454?

Refer to the project's repository or documentation for the official advisory regarding CVE-2025-15454.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs