Freshrss vulnerabilities
23 known vulnerabilities affecting freshrss/freshrss.
Total CVEs
23
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH9MEDIUM11
Vulnerabilities
Page 1 of 2
CVE-2025-68932P3CRITICALCVSS 9.8fixed in 1.28.02025-12-27
CVE-2025-68932 [CRITICAL] CWE-338 CVE-2025-68932: FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptograph
FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to account takeover through persistent session
nvd
CVE-2018-19782P3MEDIUMCVSS 6.1PoCv1.11.12019-01-30
CVE-2018-19782 [MEDIUM] CWE-79 CVE-2018-19782: Multiple cross-site scripting (XSS) vulnerabilities in GET requests in FreshRSS 1.11.1 allow remote
Multiple cross-site scripting (XSS) vulnerabilities in GET requests in FreshRSS 1.11.1 allow remote attackers to inject arbitrary web script or HTML via the (1) c parameter or (2) a parameter.
nvd
CVE-2025-58173P3HIGHCVSS 8.8≥ 1.23.0, < 1.27.1v>= 1.23.0, < 1.27.12025-12-16
CVE-2025-58173 [HIGH] CWE-20 CVE-2025-58173: FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path trave
FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database
nvd
CVE-2025-54875P3CRITICALCVSS 9.8≥ 1.16.0, < 1.27.0v>= 1.16.0, < 1.27.02025-09-29
CVE-2025-54875 [CRITICAL] CWE-284 CVE-2025-54875: FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an un
FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hidden field used only in the user management admin page, new_user_is_admin. This is fixed in version 1.27.0.
nvd
CVE-2025-54592P3CRITICALCVSS 9.8fixed in 1.27.02025-09-29
CVE-2025-54592 [CRITICAL] CWE-613 CVE-2025-54592: FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminat
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This failure to invalidate the session can lead to session
nvd
CVE-2025-54593P3HIGHCVSS 7.2fixed in 1.26.22025-08-01
CVE-2025-54593 [HIGH] CWE-94 CVE-2025-54593: FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated adm
FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated
nvd
CVE-2025-54591P3HIGHCVSS 7.5fixed in 1.27.02025-09-29
CVE-2025-54591 [HIGH] CWE-284 CVE-2025-54591: FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below expose information about
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below expose information about feeds and tags of default admin users, due to lack of access checking in the FreshRSS_Auth::hasAccess() function used by some of the tag/feed related endpoints. FreshRSS controllers usually have a defined firstAction() method with an override to make s
nvd
CVE-2025-62166P3HIGHCVSS 7.5fixed in 1.28.02026-03-09
CVE-2025-62166 [HIGH] CWE-284 CVE-2025-62166: FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to m
FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.
nvd
CVE-2025-68402P3HIGHCVSS 8.2fixed in 476e57b04646416e24e24c56133c9fadf9e52b952026-03-09
CVE-2025-68402 [HIGH] CWE-287 CVE-2025-68402: FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce w
FreshRSS is a free, self-hostable RSS aggregator. From 57e1a37 - 00f2f04, the lengths of the nonce was changed from 40 chars to 64. password_verify() is currently being called with a constructed string (SHA-256 nonce + part of a bcrypt hash) instead of the raw user password. Due to bcrypt’s 72-byte input truncation, this causes password verification t
nvd
CVE-2022-23497P3HIGHCVSS 7.5≥ 1.18.0, < 1.20.2v>= 1.18.0, < 1.20.22022-12-09
CVE-2022-23497 [HIGH] CWE-200 CVE-2022-23497: FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remo
FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hashed password (brypt with cost 9, salted) of the GReade
nvd
CVE-2025-46341P3HIGHCVSS 7.1fixed in 1.26.22025-06-04
CVE-2025-46341 [HIGH] CWE-918 CVE-2025-46341: FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTT
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the `Remote-User` header or the `X-WebAuth-User` header by making specially crafted requests via the add feed functionality and obtaining the CSRF token via XPath scraping. The a
nvd
CVE-2025-68148P3HIGHCVSS 7.5≥ 1.27.0, < 1.28.0v>= 1.27.0, < 1.28.02025-12-27
CVE-2025-68148 [HIGH] CWE-770 CVE-2025-68148: FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker
FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0.
nvd
CVE-2025-31134P3HIGHCVSS 7.5fixed in 1.26.22025-06-04
CVE-2025-31134 [HIGH] CWE-201 CVE-2025-31134: FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additio
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server and potentially use that information to further attack t
nvd
CVE-2025-32015P3MEDIUMCVSS 6.7fixed in 1.26.22025-06-04
CVE-2025-32015 [MEDIUM] CWE-79 CVE-2025-32015: FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the `` attribute, which leads to cross-site scripting (XSS) by loading an attacker's UserJS inside ``. In order to execute the attack, the attacker needs to control one of the victim's feeds and have an account on the FreshRSS instance that the
nvd
CVE-2025-59948P4MEDIUMCVSS 5.4fixed in 1.27.02025-09-29
CVE-2025-59948 [MEDIUM] CWE-79 CVE-2025-59948: FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not sanitize certain
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not sanitize certain event handler attributes in feed content, so by finding a page that renders feed entries without CSP, it is possible to execute an XSS payload. The Allow API access authentication setting needs to be enabled by the instance administrator beforehand for
nvd
CVE-2025-57769P4MEDIUMCVSS 6.1fixed in 1.27.02025-09-29
CVE-2025-57769 [MEDIUM] CWE-79 CVE-2025-57769: FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possible, this may lead to privilege escalation via obscuring t
nvd
CVE-2025-59949P4MEDIUMCVSS 6.5fixed in 1.27.12025-12-18
CVE-2025-59949 [MEDIUM] CWE-352 CVE-2025-59949: FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site
FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability that can lead to denial of service via . Version 1.27.1 patches the issue.
nvd
CVE-2025-59950P4MEDIUMCVSS 5.4fixed in 1.27.02025-09-30
CVE-2025-59950 [MEDIUM] CWE-1021 CVE-2025-59950: FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of d
FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection (confirmation dialog), it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button inside an attacker-controlled website. A successful at
nvd
CVE-2025-61586P4MEDIUMCVSS 5.3fixed in 1.27.02025-09-30
CVE-2025-61586 [MEDIUM] CWE-22 CVE-2025-61586: FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to direct
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist. This issue is fixed in version 1.27.0.
nvd
CVE-2023-22481P4MEDIUMCVSS 5.5≥ 1.9.0, < 1.21.0v>= 1.9.0, < 1.21.02023-03-06
CVE-2023-22481 [MEDIUM] CWE-532 CVE-2023-22481: FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is
FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is logged in clear in `users/_/log_api.txt` in the case where the authentication fails. The issues occurs in `authorizationToUser()` in `greader.php`. If there is an issue with the request or the credentials, `unauthorized()` or `badRequest()` is called.
nvd
1 / 2Next →