cbcvebase.
CVE-2025-62166
published 2026-03-09

CVE-2025-62166: FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed…

PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.38%
29.8th percentile
FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

Affected

1 ranges
VendorProductVersion rangeFixed in
freshrssfreshrss< 1.28.01.28.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.