Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

FreshRSS — Vulnerabilities & Security Advisories 22

Browse all 22 CVE security advisories affecting FreshRSS. AI-powered Chinese analysis, POCs, and references for each vulnerability.

FreshRSS is an open-source, self-hosted RSS aggregator designed to allow users to monitor multiple news feeds from a single interface. As a PHP-based web application, it has historically been associated with twenty-two recorded Common Vulnerabilities and Exposures (CVEs). The most prevalent vulnerability classes include SQL injection, cross-site scripting (XSS), and remote code execution (RCE), often stemming from insufficient input validation and improper handling of user-supplied data. While the project maintains an active development cycle to address these issues, the frequency of past exploits highlights the risks inherent in complex web interfaces. Notable incidents have primarily involved authenticated attacks or specific configuration weaknesses rather than widespread, unauthenticated breaches. Users are advised to keep installations updated and restrict access to trusted networks to mitigate potential exposure to these known security flaws.

Top products by FreshRSS: FreshRSS
CVE IDTitleCVSSSeverityPublished
CVE-2025-68402 FreshRSS has an authentication bypass due to truncated bcrypt hash [edge branch] — FreshRSSCWE-287 5.3AIMediumAI2026-03-09
CVE-2025-62166 FreshRSS has an IDOR which allows for viewing feeds of any user and leaking tokens — FreshRSSCWE-284 7.5 High2026-03-09
CVE-2025-68148 FreshRSS globally denies access to feed via proxy modifying to 429 Retry-After — FreshRSSCWE-770 4.3 Medium2025-12-26
CVE-2025-68932 FreshRSS has weak cryptographic randomness in remember-me token and nonce generation — FreshRSSCWE-338 9.8 -2025-12-26
CVE-2025-59949 FreshRSS has Logout CSRF that Leads to DoS via <track src> — FreshRSSCWE-352 5.3 Medium2025-12-18
CVE-2025-58173 FreshRSS vulnerable to authenticated RCE via path traversal inside include() — FreshRSSCWE-20 8.8AIHighAI2025-12-15
CVE-2025-59950 FreshRSS: Double clickjacking can lead to privilege escalation — FreshRSSCWE-1021 6.7 Medium2025-09-29
CVE-2025-61586 FreshRSS is vulnerable to directory enumeration by setting path in its theme field — FreshRSSCWE-22 5.3 -2025-09-29
CVE-2025-59948 FreshRSS is vulnerable to XSS due to lack of CSP on HTML query page — FreshRSSCWE-79 6.7 Medium2025-09-29
CVE-2025-57769 FressRSS: Clickjacking can lead to XSS and/or privilege escalation — FreshRSSCWE-79 8.8AIHighAI2025-09-29
CVE-2025-54875 FreshRSS: Unauthorized creation of admin user when registration is enabled — FreshRSSCWE-284 9.8 Critical2025-09-29
CVE-2025-54592 FreshRSS has Incomplete Session Termination on Logout — FreshRSSCWE-613 7.1AIHighAI2025-09-29
CVE-2025-54591 FreshRSS: Unauthenticated users can view default user's information — FreshRSSCWE-284 7.5 High2025-09-29
CVE-2025-54593 FreshRSS is vulnerable to RCE attacks by authenticated admin — FreshRSSCWE-94 7.2 High2025-08-01
CVE-2025-46341 Privilege escalation via SSRF when using HTTP auth — FreshRSSCWE-918 7.1 High2025-06-04
CVE-2025-46339 FreshRSS vulnerable to favicon cache poisoning via proxy — FreshRSSCWE-349 4.3 Medium2025-06-04
CVE-2025-32015 FreshRSS vulnerable to Cross-site Scripting by embedding <script> tag inside <iframe srcdoc> — FreshRSSCWE-79 6.7 Medium2025-06-04
CVE-2025-31482 FreshRSS vulnerable to DoS by malicious feed entry loading logout URL — FreshRSSCWE-352 4.3 Medium2025-06-04
CVE-2025-31136 FreshRSS vulnerable to Cross-site Scripting by <iframe>'ing a vulnerable same-origin page in a feed entry — FreshRSSCWE-79 6.7 Medium2025-06-04
CVE-2025-31134 FreshRSS vulnerable to directory enumeration via ext.php — FreshRSSCWE-201 5.3AIMediumAI2025-06-04
CVE-2023-22481 Sensitive information exposure in the logs of greader API in FreshRSS — FreshRSSCWE-532 4.0 Medium2023-03-06
CVE-2022-23497 Insecure file access in FreshRSS — FreshRSSCWE-200 6.5 Medium2022-12-09

This page lists every published CVE security advisory associated with FreshRSS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.