3 matches found
CVE-2025-32015
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the attribute, which leads to cross-site scripting XSS by loading an attacker's UserJS inside . In order to execute the attack, the attacker needs to control one of the victim's feeds and...
CVE-2025-32015 FreshRSS vulnerable to Cross-site Scripting by embedding <script> tag inside <iframe srcdoc>
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the attribute, which leads to cross-site scripting XSS by loading an attacker's UserJS inside . In order to execute the attack, the attacker needs to control one of the victim's feeds and...
CVE-2025-32015
FreshRSS before version 1.26.2 is affected by an XSS in the iframe srcdoc sanitization, allowing an attacker to load UserJS via a script src if they control a victim feed and have a user account. The attacker could access the victim’s account; if the victim is an admin, they could delete users or...