CVE-2025-54875

Critical CVSS: 9.8

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hidden field used only in the user management admin page, new_user_is_admin. This is fixed in version 1.27.0.

Vendor

Freshrss

Product

Freshrss

CWE

CWE-284

Yayın Tarihi

2025-09-29 22:15:36

Güncelleme

2025-10-03 15:59:35

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-284 Freshrss CRITICAL Freshrss 2025

Referanslar

https://github.com/FreshRSS/FreshRSS/pull/7783 https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0 https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-h625-ghr3-jppq https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-h625-ghr3-jppq

Benzer Kayıtlar

High

CVE-2025-62166

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication…

Medium

CVE-2025-68148

FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny…

Low

CVE-2025-68932

FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random n…

Medium

CVE-2025-59949

FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vuln…

High

CVE-2025-58173

FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `lan…

Medium

CVE-2025-61586

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by s…