CVE-2025-61586

Medium CVSS: 6.9

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist. This issue is fixed in version 1.27.0.

Vendor

Freshrss

Product

Freshrss

CWE

CWE-22

Yayın Tarihi

2025-09-30 04:44:53

Güncelleme

2025-10-03 15:39:40

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Freshrss MEDIUM Freshrss 2025

Referanslar

https://github.com/FreshRSS/FreshRSS/commit/6549932d59aef3b72a9da29294af0f30ffb77af5 https://github.com/FreshRSS/FreshRSS/pull/7722 https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w35p-p867-qr4f https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w35p-p867-qr4f

Benzer Kayıtlar

High

CVE-2025-62166

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication…

Medium

CVE-2025-68148

FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny…

Low

CVE-2025-68932

FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random n…

Medium

CVE-2025-59949

FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vuln…

High

CVE-2025-58173

FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `lan…

Medium

CVE-2025-59950

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking p…