Cross-site Scripting Vulnerability in FreshRSS by FreshRSS
CVE-2025-31136

5.4MEDIUM

Key Information:

Vendor: Freshrss
Status: Freshrss
Vendor: CVE Published:; 4 June 2025

What is CVE-2025-31136?

FreshRSS, a self-hosted RSS feed aggregator, is susceptible to a serious cross-site scripting (XSS) vulnerability prior to version 1.26.2. This vulnerability enables an attacker to execute arbitrary JavaScript by exploiting an improperly sanitized feed containing malicious SVG favicons. By embedding these favicons within an iframe that allows script execution, an attacker can circumvent security measures. The exploitation requires that the attacker controls a feed the victim is subscribed to and that the victim has an account on FreshRSS. Upon triggering the payload, which can activate through user interaction or immediately after a feed addition or login, the attacker could potentially compromise the victim's account. This could lead to severe consequences, including unauthorized account access and potential server-side code execution through malicious fetch requests. FreshRSS has addressed this vulnerability in version 1.26.2, emphasizing the importance of updating to ensure protection.

Affected Version(s)

FreshRSS < 1.26.2

References

https://github.com/FreshRSS/FreshRSS/security/advisories/...

x_refsource_CONFIRM

https://github.com/FreshRSS/FreshRSS/commit/426e3054c237c...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2025
Vulnerability Reserved
Mar 26, 2025

JSON

Freshrss

What is CVE-2025-31136?

Affected Version(s)

References

CVSS V3.1

Timeline