All the vulnerabilites related to FreshRSS - FreshRSS
cve-2025-31136
Vulnerability from cvelistv5
Published
2025-06-04 19:42
Modified
2025-06-04 20:18
Severity ?
EPSS score ?
Summary
FreshRSS vulnerable to Cross-site Scripting by <iframe>'ing a vulnerable same-origin page in a feed entry
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-f6r4-jrvc-cfmr | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/commit/426e3054c237c2b98667ebeacbbdb5caa88e7b1f | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31136",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-04T20:17:44.490587Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T20:18:02.553Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-f6r4-jrvc-cfmr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it\u0027s possible to run arbitrary JavaScript on the feeds page.\nThis occurs by combining a cross-site scripting (XSS) issue that occurs in `f.php` when SVG favicons are downloaded from an attacker-controlled feed containing `\u003cscript\u003e` tags inside of them that aren\u0027t sanitized, with the lack of CSP in `f.php` by embedding the malicious favicon in an iframe (that has `sandbox=\"allow-scripts allow-same-origin\"` set as its attribute). An attacker needs to control one of the feeds that the victim is subscribed to, and also must have an account on the FreshRSS instance. Other than that, the iframe payload can be embedded as one of two options. The first payload requires user interaction (the user clicking on the malicious feed entry) with default user configuration, and the second payload fires instantly right after the user adds the feed or logs into the account while the feed entry is still visible. This is because of lazy image loading functionality, which the second payload bypasses. An attacker can gain access to the victim\u0027s account by exploiting this vulnerability. If the victim is an admin it would be possible to delete all users (cause damage) or execute arbitrary code on the server by modifying the update URL using fetch() via the XSS. Version 1.26.2 has a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T19:42:15.077Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-f6r4-jrvc-cfmr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-f6r4-jrvc-cfmr"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/commit/426e3054c237c2b98667ebeacbbdb5caa88e7b1f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/commit/426e3054c237c2b98667ebeacbbdb5caa88e7b1f"
}
],
"source": {
"advisory": "GHSA-f6r4-jrvc-cfmr",
"discovery": "UNKNOWN"
},
"title": "FreshRSS vulnerable to Cross-site Scripting by \u003ciframe\u003e\u0027ing a vulnerable same-origin page in a feed entry"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31136",
"datePublished": "2025-06-04T19:42:15.077Z",
"dateReserved": "2025-03-26T15:04:52.627Z",
"dateUpdated": "2025-06-04T20:18:02.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-54875
Vulnerability from cvelistv5
Published
2025-09-29 21:29
Modified
2025-09-30 14:55
Severity ?
EPSS score ?
Summary
FreshRSS: Unauthorized creation of admin user when registration is enabled
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-h625-ghr3-jppq | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/pull/7783 | x_refsource_MISC | |
| https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54875",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T14:55:26.557118Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T14:55:56.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-h625-ghr3-jppq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.16.0, \u003c 1.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hidden field used only in the user management admin page, new_user_is_admin. This is fixed in version 1.27.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T21:29:50.136Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-h625-ghr3-jppq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-h625-ghr3-jppq"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/pull/7783",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/pull/7783"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0"
}
],
"source": {
"advisory": "GHSA-h625-ghr3-jppq",
"discovery": "UNKNOWN"
},
"title": "FreshRSS: Unauthorized creation of admin user when registration is enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54875",
"datePublished": "2025-09-29T21:29:50.136Z",
"dateReserved": "2025-07-31T17:23:33.474Z",
"dateUpdated": "2025-09-30T14:55:56.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-61586
Vulnerability from cvelistv5
Published
2025-09-29 23:14
Modified
2025-09-30 14:31
Severity ?
EPSS score ?
Summary
FreshRSS is vulnerable to directory enumeration by setting path in its theme field
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w35p-p867-qr4f | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/pull/7722 | x_refsource_MISC | |
| https://github.com/FreshRSS/FreshRSS/commit/6549932d59aef3b72a9da29294af0f30ffb77af5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61586",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T14:30:45.955854Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T14:31:02.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w35p-p867-qr4f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist. This issue is fixed in version 1.27.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T23:14:51.054Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w35p-p867-qr4f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w35p-p867-qr4f"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/pull/7722",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/pull/7722"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/commit/6549932d59aef3b72a9da29294af0f30ffb77af5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/commit/6549932d59aef3b72a9da29294af0f30ffb77af5"
}
],
"source": {
"advisory": "GHSA-w35p-p867-qr4f",
"discovery": "UNKNOWN"
},
"title": "FreshRSS is vulnerable to directory enumeration by setting path in its theme field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61586",
"datePublished": "2025-09-29T23:14:51.054Z",
"dateReserved": "2025-09-26T16:25:25.150Z",
"dateUpdated": "2025-09-30T14:31:02.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23497
Vulnerability from cvelistv5
Published
2022-12-09 22:16
Modified
2025-04-23 16:29
Severity ?
EPSS score ?
Summary
Insecure file access in FreshRSS
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-hvrj-5fwj-p7v6 | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/pull/4928 | x_refsource_MISC | |
| https://github.com/FreshRSS/FreshRSS/releases/tag/1.20.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-hvrj-5fwj-p7v6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-hvrj-5fwj-p7v6"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/pull/4928",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FreshRSS/FreshRSS/pull/4928"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.20.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.20.2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23497",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:47:17.092178Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:29:06.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.18.0, \u003c 1.20.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hashed password (brypt with cost 9, salted) of the GReader API, and a hashed password (MD5 salted) of the Fever API. Users should update to version 1.20.2 or edge. Users unable to upgrade can apply the patch manually or delete the file `./FreshRSS/p/ext.php`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-09T22:16:00.220Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-hvrj-5fwj-p7v6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-hvrj-5fwj-p7v6"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/pull/4928",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/pull/4928"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.20.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.20.2"
}
],
"source": {
"advisory": "GHSA-hvrj-5fwj-p7v6",
"discovery": "UNKNOWN"
},
"title": "Insecure file access in FreshRSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23497",
"datePublished": "2022-12-09T22:16:00.220Z",
"dateReserved": "2022-01-19T21:23:53.767Z",
"dateUpdated": "2025-04-23T16:29:06.755Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-59948
Vulnerability from cvelistv5
Published
2025-09-29 22:56
Modified
2025-09-30 13:47
Severity ?
EPSS score ?
Summary
FreshRSS is vulnerable to XSS due to lack of CSP on HTML query page
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-rwhf-vjjx-gmm9 | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/commit/7df6c201f2e6a6521d20718dfd8d9794c7437d1f | x_refsource_MISC | |
| https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59948",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:47:02.492605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:47:05.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-rwhf-vjjx-gmm9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not sanitize certain event handler attributes in feed content, so by finding a page that renders feed entries without CSP, it is possible to execute an XSS payload. The Allow API access authentication setting needs to be enabled by the instance administrator beforehand for the attack to work as it relies on api/query.php. An account takeover is possible by sending a change password request via the XSS payload / setting UserJS for persistence / stealing the autofill password / displaying a phishing page with a spoofed URL using history.replaceState()\nIf the victim is an administrator, the attacker can also perform administrative actions. This issue is fixed in version 1.27.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T22:56:46.073Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-rwhf-vjjx-gmm9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-rwhf-vjjx-gmm9"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/commit/7df6c201f2e6a6521d20718dfd8d9794c7437d1f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/commit/7df6c201f2e6a6521d20718dfd8d9794c7437d1f"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0"
}
],
"source": {
"advisory": "GHSA-rwhf-vjjx-gmm9",
"discovery": "UNKNOWN"
},
"title": "FreshRSS is vulnerable to XSS due to lack of CSP on HTML query page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59948",
"datePublished": "2025-09-29T22:56:46.073Z",
"dateReserved": "2025-09-23T14:33:49.506Z",
"dateUpdated": "2025-09-30T13:47:05.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-19782
Vulnerability from cvelistv5
Published
2019-01-29 23:00
Modified
2024-08-05 11:44
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in GET requests in FreshRSS 1.11.1 allow remote attackers to inject arbitrary web script or HTML via the (1) c parameter or (2) a parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2018/Dec/3 | mailing-list, x_refsource_FULLDISC | |
| https://www.exploit-db.com/exploits/45954/ | exploit, x_refsource_EXPLOIT-DB | |
| http://packetstormsecurity.com/files/150608/FreshRSS-1.11.1-Cross-Site-Scripting.html | x_refsource_MISC | |
| https://www.netsparker.com/web-applications-advisories/ns-18-024-multiple-cross-site-scripting-vulnerabilities-in-freshrss/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:44:20.276Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20181204 Multiple Cross-Site Scripting Vulnerabilities in FreshRSS 1.11.1",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2018/Dec/3"
},
{
"name": "45954",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/45954/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/150608/FreshRSS-1.11.1-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-18-024-multiple-cross-site-scripting-vulnerabilities-in-freshrss/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-12-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in GET requests in FreshRSS 1.11.1 allow remote attackers to inject arbitrary web script or HTML via the (1) c parameter or (2) a parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-29T22:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20181204 Multiple Cross-Site Scripting Vulnerabilities in FreshRSS 1.11.1",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2018/Dec/3"
},
{
"name": "45954",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/45954/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/150608/FreshRSS-1.11.1-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-18-024-multiple-cross-site-scripting-vulnerabilities-in-freshrss/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-19782",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in GET requests in FreshRSS 1.11.1 allow remote attackers to inject arbitrary web script or HTML via the (1) c parameter or (2) a parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20181204 Multiple Cross-Site Scripting Vulnerabilities in FreshRSS 1.11.1",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2018/Dec/3"
},
{
"name": "45954",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/45954/"
},
{
"name": "http://packetstormsecurity.com/files/150608/FreshRSS-1.11.1-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/150608/FreshRSS-1.11.1-Cross-Site-Scripting.html"
},
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-18-024-multiple-cross-site-scripting-vulnerabilities-in-freshrss/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-18-024-multiple-cross-site-scripting-vulnerabilities-in-freshrss/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-19782",
"datePublished": "2019-01-29T23:00:00",
"dateReserved": "2018-11-30T00:00:00",
"dateUpdated": "2024-08-05T11:44:20.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-54593
Vulnerability from cvelistv5
Published
2025-08-01 18:04
Modified
2025-08-01 18:32
Severity ?
EPSS score ?
Summary
FreshRSS is vulnerable to RCE attacks by authenticated admin
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57 | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/pull/7477 | x_refsource_MISC | |
| https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101 | x_refsource_MISC | |
| https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54593",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-01T18:31:35.795084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T18:32:59.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T18:04:40.265Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/pull/7477",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/pull/7477"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2"
}
],
"source": {
"advisory": "GHSA-jcww-48g9-wf57",
"discovery": "UNKNOWN"
},
"title": "FreshRSS is vulnerable to RCE attacks by authenticated admin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54593",
"datePublished": "2025-08-01T18:04:40.265Z",
"dateReserved": "2025-07-25T16:19:16.095Z",
"dateUpdated": "2025-08-01T18:32:59.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-57769
Vulnerability from cvelistv5
Published
2025-09-29 21:37
Modified
2025-09-30 14:51
Severity ?
EPSS score ?
Summary
FressRSS: Clickjacking can lead to XSS and/or privilege escalation
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wm5p-7pr7-c8rw | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/pull/7677 | x_refsource_MISC | |
| https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57769",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T14:51:12.226653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T14:51:28.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wm5p-7pr7-c8rw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possible, this may lead to privilege escalation via obscuring the promote user button in the admin UI or XSS by tricking the user to drag content into the UserJS text area. This is fixed in version 1.27.0"
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T21:37:52.895Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wm5p-7pr7-c8rw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wm5p-7pr7-c8rw"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/pull/7677",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/pull/7677"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0"
}
],
"source": {
"advisory": "GHSA-wm5p-7pr7-c8rw",
"discovery": "UNKNOWN"
},
"title": "FressRSS: Clickjacking can lead to XSS and/or privilege escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57769",
"datePublished": "2025-09-29T21:37:29.491Z",
"dateReserved": "2025-08-19T15:16:22.917Z",
"dateUpdated": "2025-09-30T14:51:28.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-46341
Vulnerability from cvelistv5
Published
2025-06-04 20:09
Modified
2025-06-04 20:49
Severity ?
EPSS score ?
Summary
Privilege escalation via SSRF when using HTTP auth
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w3m8-wcf4-h8vm | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/commit/6bb8680ae0051b9a2ff344f17814f4fa5d844628 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46341",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-04T20:49:25.381466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T20:49:32.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it\u0027s possible to impersonate any user either via the `Remote-User` header or the `X-WebAuth-User` header by making specially crafted requests via the add feed functionality and obtaining the CSRF token via XPath scraping. The attacker has to know the IP address of the proxied FreshRSS instance and the admin\u0027s username, while also having an account on the instance. An attacker can send specially crafted requests in order to gain unauthorized access to internal services. This can also lead to privilege escalation like in the demonstrated scenario, although users that have setup OIDC are not affected by privilege escalation. Version 1.26.2 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T20:09:18.479Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w3m8-wcf4-h8vm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w3m8-wcf4-h8vm"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/commit/6bb8680ae0051b9a2ff344f17814f4fa5d844628",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/commit/6bb8680ae0051b9a2ff344f17814f4fa5d844628"
}
],
"source": {
"advisory": "GHSA-w3m8-wcf4-h8vm",
"discovery": "UNKNOWN"
},
"title": "Privilege escalation via SSRF when using HTTP auth"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46341",
"datePublished": "2025-06-04T20:09:18.479Z",
"dateReserved": "2025-04-22T22:41:54.912Z",
"dateUpdated": "2025-06-04T20:49:32.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-54592
Vulnerability from cvelistv5
Published
2025-09-29 21:23
Modified
2025-09-30 13:42
Severity ?
EPSS score ?
Summary
FreshRSS has Incomplete Session Termination on Logout
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/pull/7762 | x_refsource_MISC | |
| https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54592",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:32:36.755129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:42:14.955Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This failure to invalidate the session can lead to session hijacking and fixation vulnerabilities. This issue is fixed in version 1.27.0"
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T21:23:43.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/pull/7762",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/pull/7762"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0"
}
],
"source": {
"advisory": "GHSA-42v4-65f8-5wgr",
"discovery": "UNKNOWN"
},
"title": "FreshRSS has Incomplete Session Termination on Logout"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54592",
"datePublished": "2025-09-29T21:23:43.903Z",
"dateReserved": "2025-07-25T16:19:16.095Z",
"dateUpdated": "2025-09-30T13:42:14.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-54591
Vulnerability from cvelistv5
Published
2025-09-29 21:00
Modified
2025-09-30 15:02
Severity ?
EPSS score ?
Summary
FreshRSS: Unauthenticated users can view default user's information
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jf4v-f8p2-8xvq | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/pull/7768 | x_refsource_MISC | |
| https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54591",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T15:02:24.413662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T15:02:37.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jf4v-f8p2-8xvq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below expose information about feeds and tags of default admin users, due to lack of access checking in the FreshRSS_Auth::hasAccess() function used by some of the tag/feed related endpoints. FreshRSS controllers usually have a defined firstAction() method with an override to make sure that every action requires access. If one doesn\u0027t, then every action has to check for access manually, and certain endpoints use neither the firstAction() method, or do they perform a manual access check. This issue is fixed in version 1.27.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T21:00:50.080Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jf4v-f8p2-8xvq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jf4v-f8p2-8xvq"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/pull/7768",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/pull/7768"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0"
}
],
"source": {
"advisory": "GHSA-jf4v-f8p2-8xvq",
"discovery": "UNKNOWN"
},
"title": "FreshRSS: Unauthenticated users can view default user\u0027s information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54591",
"datePublished": "2025-09-29T21:00:50.080Z",
"dateReserved": "2025-07-25T16:19:16.095Z",
"dateUpdated": "2025-09-30T15:02:37.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-31134
Vulnerability from cvelistv5
Published
2025-06-04 19:35
Modified
2025-06-04 20:07
Severity ?
EPSS score ?
Summary
FreshRSS vulnerable to directory enumeration via ext.php
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jjm2-4hf7-9x65 | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/commit/4568111c00813756a3a34a381d684b8354fc4438 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31134",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-04T20:06:04.637737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T20:07:03.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jjm2-4hf7-9x65"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server and potentially use that information to further attack the server. Version 1.26.2 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T19:35:55.749Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jjm2-4hf7-9x65",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jjm2-4hf7-9x65"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/commit/4568111c00813756a3a34a381d684b8354fc4438",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/commit/4568111c00813756a3a34a381d684b8354fc4438"
}
],
"source": {
"advisory": "GHSA-jjm2-4hf7-9x65",
"discovery": "UNKNOWN"
},
"title": "FreshRSS vulnerable to directory enumeration via ext.php"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31134",
"datePublished": "2025-06-04T19:35:55.749Z",
"dateReserved": "2025-03-26T15:04:52.627Z",
"dateUpdated": "2025-06-04T20:07:03.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-59950
Vulnerability from cvelistv5
Published
2025-09-29 23:21
Modified
2025-09-30 14:19
Severity ?
EPSS score ?
Summary
FreshRSS: Double clickjacking can lead to privilege escalation
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j66v-hvqx-5vh3 | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/pull/7771 | x_refsource_MISC | |
| https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59950",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T14:19:40.154084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T14:19:51.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j66v-hvqx-5vh3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.27.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection (confirmation dialog), it is possible to trick the admin into clicking the Promote button in another user\u0027s management page after the admin double clicks on a button inside an attacker-controlled website. A successful attack can allow the attacker to promote themselves to \"admin\" and log into other users\u0027 accounts; the attacker has to know the specific instance URL they\u0027re targeting. This issue is fixed in version 1.27.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T23:21:42.118Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j66v-hvqx-5vh3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j66v-hvqx-5vh3"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/pull/7771",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/pull/7771"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0"
}
],
"source": {
"advisory": "GHSA-j66v-hvqx-5vh3",
"discovery": "UNKNOWN"
},
"title": "FreshRSS: Double clickjacking can lead to privilege escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59950",
"datePublished": "2025-09-29T23:21:42.118Z",
"dateReserved": "2025-09-23T14:33:49.506Z",
"dateUpdated": "2025-09-30T14:19:51.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-31482
Vulnerability from cvelistv5
Published
2025-06-04 19:50
Modified
2025-06-04 20:46
Severity ?
EPSS score ?
Summary
FreshRSS vulnerable to DoS by malicious feed entry loading logout URL
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-vpmc-3fv2-jmgp | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31482",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-04T20:46:19.306605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T20:46:27.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively causing that user to suffer denial of service. Version 1.26.2 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T19:50:58.615Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-vpmc-3fv2-jmgp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-vpmc-3fv2-jmgp"
}
],
"source": {
"advisory": "GHSA-vpmc-3fv2-jmgp",
"discovery": "UNKNOWN"
},
"title": "FreshRSS vulnerable to DoS by malicious feed entry loading logout URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31482",
"datePublished": "2025-06-04T19:50:58.615Z",
"dateReserved": "2025-03-28T13:36:51.297Z",
"dateUpdated": "2025-06-04T20:46:27.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-46339
Vulnerability from cvelistv5
Published
2025-06-04 20:04
Modified
2025-06-04 20:48
Severity ?
EPSS score ?
Summary
FreshRSS vulnerable to favicon cache poisoning via proxy
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4 | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46339",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-04T20:48:40.460533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T20:48:49.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it\u0027s possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not including the following variables: proxy address, proxy protocol, and whether SSL should be verified. Therefore it\u0027s possible to poison a favicon of a given feed by simply intercepting the response of the feed, and changing the website URL to one where a threat actor controls the feed favicon. Feed favicons can be replaced for all users by anyone. Version 1.26.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T20:04:54.504Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2"
}
],
"source": {
"advisory": "GHSA-8f79-3q3w-43c4",
"discovery": "UNKNOWN"
},
"title": "FreshRSS vulnerable to favicon cache poisoning via proxy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46339",
"datePublished": "2025-06-04T20:04:54.504Z",
"dateReserved": "2025-04-22T22:41:54.912Z",
"dateUpdated": "2025-06-04T20:48:49.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22481
Vulnerability from cvelistv5
Published
2023-03-06 17:33
Modified
2025-02-25 15:01
Severity ?
EPSS score ?
Summary
Sensitive information exposure in the logs of greader API in FreshRSS
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8vvv-jxg6-8578 | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/commit/075cf4c800063e3cc65c3d41a9c23222e8ebb554 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8vvv-jxg6-8578",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8vvv-jxg6-8578"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/commit/075cf4c800063e3cc65c3d41a9c23222e8ebb554",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/FreshRSS/FreshRSS/commit/075cf4c800063e3cc65c3d41a9c23222e8ebb554"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22481",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:30:26.520067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T15:01:23.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.9.0, \u003c 1.21.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is logged in clear in `users/_/log_api.txt` in the case where the authentication fails. The issues occurs in `authorizationToUser()` in `greader.php`. If there is an issue with the request or the credentials, `unauthorized()` or `badRequest()` is called. Both these functions are printing the return of `debugInfo()` in the logs. `debugInfo()` will return the content of the request. By default, this will be saved in `users/_/log_api.txt` and if the const `COPY_LOG_TO_SYSLOG` is true, in syslogs as well. Exploiting this issue requires having access to logs produced by FreshRSS. Using the information from the logs, a malicious individual could get users\u0027 API keys (would be displayed if the users fills in a bad username) or passwords."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-06T17:33:03.697Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8vvv-jxg6-8578",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8vvv-jxg6-8578"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/commit/075cf4c800063e3cc65c3d41a9c23222e8ebb554",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/commit/075cf4c800063e3cc65c3d41a9c23222e8ebb554"
}
],
"source": {
"advisory": "GHSA-8vvv-jxg6-8578",
"discovery": "UNKNOWN"
},
"title": "Sensitive information exposure in the logs of greader API in FreshRSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22481",
"datePublished": "2023-03-06T17:33:03.697Z",
"dateReserved": "2022-12-29T17:41:28.088Z",
"dateUpdated": "2025-02-25T15:01:23.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-32015
Vulnerability from cvelistv5
Published
2025-06-04 19:59
Modified
2025-06-04 20:47
Severity ?
EPSS score ?
Summary
FreshRSS vulnerable to Cross-site Scripting by embedding <script> tag inside <iframe srcdoc>
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wgrq-mcwc-8f8v | x_refsource_CONFIRM | |
| https://github.com/FreshRSS/FreshRSS/commit/54e2f9107d03c5b3bb260f38fdb2736bce449fd4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32015",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-04T20:46:57.768236Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T20:47:07.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreshRSS",
"vendor": "FreshRSS",
"versions": [
{
"status": "affected",
"version": "\u003c 1.26.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the `\u003ciframe srcdoc\u003e` attribute, which leads to cross-site scripting (XSS) by loading an attacker\u0027s UserJS inside `\u003cscript src\u003e`. In order to execute the attack, the attacker needs to control one of the victim\u0027s feeds and have an account on the FreshRSS instance that the victim is using. An attacker can gain access to the victim\u0027s account by exploiting this vulnerability. If the victim is an admin it would be possible to delete all users (cause damage) or execute arbitrary code on the server by modifying the update URL using fetch() via the XSS. Version 1.26.2 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T19:59:39.615Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wgrq-mcwc-8f8v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wgrq-mcwc-8f8v"
},
{
"name": "https://github.com/FreshRSS/FreshRSS/commit/54e2f9107d03c5b3bb260f38fdb2736bce449fd4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreshRSS/FreshRSS/commit/54e2f9107d03c5b3bb260f38fdb2736bce449fd4"
}
],
"source": {
"advisory": "GHSA-wgrq-mcwc-8f8v",
"discovery": "UNKNOWN"
},
"title": "FreshRSS vulnerable to Cross-site Scripting by embedding \u003cscript\u003e tag inside \u003ciframe srcdoc\u003e"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32015",
"datePublished": "2025-06-04T19:59:39.615Z",
"dateReserved": "2025-04-01T21:57:32.953Z",
"dateUpdated": "2025-06-04T20:47:07.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}