CVE-2025-59948
FreshRSS versions 1.26.3 and earlier are vulnerable to XSS due to unsanitized event handler attributes in feed content. The attack requires that the instance has API access authentication enabled and uses the /api/query.php endpoint; successful exploitation can lead to account takeover and, if th...