Lucene search
K

209 matches found

Positive Technologies
Positive Technologies
added 2025/09/29 12:0 a.m.6 views

PT-2025-39904

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.16.0 through 1.26.3 Description FreshRSS is a free, self-hostable RSS aggregator. An unprivileged attacker can create a new administrator user when registration is enabled. This is achieved through manipulation of a hidden...

9.8CVSS6.6AI score0.00495EPSS
Exploits1References9
Positive Technologies
Positive Technologies
added 2025/09/29 12:0 a.m.4 views

PT-2025-39918

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.26.3 and below Description FreshRSS does not properly sanitize event handler attributes within feed content. This can lead to cross-site scripting XSS if a page renders feed entries without a Content Security Policy CSP. Th...

6.7CVSS5.9AI score0.00307EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2025/09/29 12:0 a.m.8 views

PT-2025-39919

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.26.3 and below Description FreshRSS is susceptible to directory enumeration. By manipulating the theme field with a specific path, an attacker can determine the existence of directories on the server, potentially gaining...

6.9CVSS6.7AI score0.00425EPSS
Exploits1References9
CNNVD
CNNVD
added 2025/09/29 12:0 a.m.5 views

FreshRSS 跨站脚本漏洞

FreshRSS is a free, self-hosted RSS aggregator from FreshRSS Open Source. A cross-site scripting vulnerability exists in FreshRSS versions 1.26.3 and earlier, which stems from not cleaning certain event handler attributes in the feed content and could lead to a cross-site scripting attack...

6.7CVSS5.8AI score0.00307EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2025/09/29 12:0 a.m.6 views

PT-2025-39920

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.26.3 and below Description FreshRSS is susceptible to a double clickjacking protection bypass. An attacker can trick an administrator into promoting themselves to "admin" and logging into other users' accounts. This is...

6.7CVSS6.6AI score0.00262EPSS
Exploits1References9
Positive Technologies
Positive Technologies
added 2025/09/29 12:0 a.m.4 views

PT-2025-39903

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.26.3 and below Description FreshRSS does not properly end a user session when they log out. The session cookie remains active and can be reused by an attacker to start a new session, potentially leading to session hijacking...

9.8CVSS6.7AI score0.00495EPSS
Exploits1References8
RedhatCVE
RedhatCVE
added 2025/08/04 9:33 a.m.8 views

CVE-2025-54593

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code...

7.2CVSS8.2AI score0.0078EPSS
Exploits1References1
NVD
NVD
added 2025/08/01 6:15 p.m.8 views

CVE-2025-54593

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code...

7.2CVSS0.0078EPSS
Exploits1References4
CVE
CVE
added 2025/08/01 6:4 p.m.17 views

CVE-2025-54593

FreshRSS up to version 1.26.1 is vulnerable to RCE via an authenticated administrator who can modify the update URL to execute arbitrary code on the server; successful exploitation can lead to data exfiltration (including hashed passwords) and possible defacement. The issue is fixed in version 1....

7.2CVSS8.1AI score0.0078EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2025/08/01 6:4 p.m.9 views

CVE-2025-54593 FreshRSS is vulnerable to RCE attacks by authenticated admin

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code...

7.2CVSS0.0078EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2025/08/01 6:4 p.m.3 views

CVE-2025-54593 FreshRSS is vulnerable to RCE attacks by authenticated admin

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code...

7.2CVSS7.5AI score0.0078EPSS
Exploits1References4
OSV
OSV
added 2025/08/01 6:4 p.m.6 views

CVE-2025-54593 FreshRSS is vulnerable to RCE attacks by authenticated admin

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code...

7.2CVSS8.1AI score0.0078EPSS
Exploits1References6
CNNVD
CNNVD
added 2025/08/01 12:0 a.m.4 views

FreshRSS 代码注入漏洞

FreshRSS is a free, self-hosted RSS aggregator from the FreshRSS open source. A code injection vulnerability exists in FreshRSS versions 1.26.1 and earlier, which stems from an administrator being able to modify the update URL, potentially leading to arbitrary code execution...

7.2CVSS8AI score0.0078EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2025/08/01 12:0 a.m.10 views

PT-2025-31676 · Freshrss · Freshrss

Name of the Vulnerable Software and Affected Versions: FreshRSS versions 1.26.1 and below Description: FreshRSS is a free, self-hostable RSS aggregator. An authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain...

7.2CVSS8.3AI score0.0078EPSS
Exploits1References7
RedhatCVE
RedhatCVE
added 2025/06/06 8:12 p.m.15 views

CVE-2025-31134

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server...

7.5CVSS7.1AI score0.00395EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/06/06 8:12 p.m.19 views

CVE-2025-46341

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the Remote-User header or the X-WebAuth-User header by making specially crafted requests via the add feed functionality an...

7.1CVSS7.7AI score0.00392EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/06/06 8:12 p.m.19 views

CVE-2025-46339

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not...

4.3CVSS7.1AI score0.00159EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/06/06 8:12 p.m.24 views

CVE-2025-32015

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the attribute, which leads to cross-site scripting XSS by loading an attacker's UserJS inside...

6.7CVSS5.9AI score0.00387EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/06/06 8:12 p.m.16 views

CVE-2025-31136

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to run arbitrary JavaScript on the feeds page. This occurs by combining a cross-site scripting XSS issue that occurs in f.php when SVG favicons are downloaded from an attacker-controlled feed containing...

6.7CVSS6AI score0.00307EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/06/06 8:12 p.m.15 views

CVE-2025-31482

FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively causing that user to suffer denial of service. Version 1.26.2 contains a patch for the issue...

4.3CVSS7AI score0.00156EPSS
Exploits1References1
Rows per page
Query Builder