CVE-2025-31483Cross-site Scripting in V2

CWE-79Cross-site Scripting5 documents3 sources
Severity
4.8MEDIUMNVD
EPSS
0.3%
top 49.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Miniflux V2Miniflux.app V2
Timeline
PublishedApr 3
Latest updateApr 9

Description

Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed from default-src 'self' to default-src 'none'; form-action 'none'; sandbox;. This vulnerability is fixed in 2.2.7.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages2 packages

CVEListV5miniflux/v2< 2.2.7
Gominiflux.app/v2< 2.2.7

🔴Vulnerability Details

4
OSV
Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration in miniflux.app2025-04-09
GHSA
Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration2025-04-04
OSV
Miniflux Media Proxy vulnerable to Stored Cross-site Scripting due to improper Content-Security-Policy configuration2025-04-04
OSV
CVE-2025-31483: Miniflux is a feed reader2025-04-03