CVE-2025-62166

High CVSS: 7.5

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

Vendor

Freshrss

Product

Freshrss

CWE

CWE-284

Yayın Tarihi

2026-03-09 20:16:01

Güncelleme

2026-03-13 19:39:08

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-284 Freshrss HIGH Freshrss 2026

Referanslar

https://github.com/FreshRSS/FreshRSS/commit/60cf5ea297a17db861e73cd65d7b7862bd6bcc24 https://github.com/FreshRSS/FreshRSS/pull/8165 https://github.com/FreshRSS/FreshRSS/releases/tag/1.28.0 https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w743-fg6g-mhwh

Benzer Kayıtlar

Medium

CVE-2025-68148

FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny…

Low

CVE-2025-68932

FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random n…

Medium

CVE-2025-59949

FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vuln…

High

CVE-2025-58173

FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `lan…

Medium

CVE-2025-61586

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by s…

Medium

CVE-2025-59950

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking p…