7 matches found
EUVD-2025-16931
Malicious code in bioql PyPI...
CVE-2025-46339
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not...
CVE-2025-46339
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not...
CVE-2025-46339 FreshRSS vulnerable to favicon cache poisoning via proxy
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not...
CVE-2025-46339 FreshRSS vulnerable to favicon cache poisoning via proxy
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not...
CVE-2025-46339
FreshRSS prior to version 1.26.2 is vulnerable to favicon cache poisoning via a manipulated feed URL and an attacker-controlled proxy with SSL verification disabled. The underlying issue is the favicon hash computation, which hashes the feed URL and a salt but omits proxy address, proxy protocol,...
PT-2025-23855 · Freshrss · Freshrss
Name of the Vulnerable Software and Affected Versions: FreshRSS versions prior to 1.26.2 Description: The issue allows an attacker to poison feed favicons by manipulating the feed URL and proxy settings, potentially replacing favicons for all users. This is possible because the favicon hash...