FreshRSS is vulnerable to RCE attacks by authenticated admin

August 1, 2025 invoker category_cve

CVE Details

Basic Information

Title FreshRSS is vulnerable to RCE attacks by authenticated admin
Type cve
Published 2025-08-01T18:04:40.265Z
Modified 2025-08-01T18:32:59.897Z

Product Information

Vendor FreshRSS
Product FreshRSS
Version < 1.26.2

CVSS Information

Base Score 7.2 (HIGH)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected Products

  • FreshRSS FreshRSS < 1.26.2

Additional Information

CWE List CWE-94
Source GitHub_M

Description

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.