Arbitrary Code Execution Vulnerability in FreshRSS by FreshRSS
CVE-2025-54593

7.2HIGH

Key Information:

Vendor

Freshrss

Status
Freshrss
Vendor
CVE Published:
1 August 2025

What is CVE-2025-54593?

FreshRSS, a self-hosted RSS aggregator, is vulnerable to an arbitrary code execution issue, specifically in versions up to 1.26.1. An attacker with administrator access can exploit this vulnerability by altering the update URL to direct it towards a malicious server. Once the update is executed, the attacker can run arbitrary code on the server, potentially leading to unauthorized access and manipulation of user data. This includes the exfiltration of sensitive information such as hashed passwords and the possibility of defacing the instance, depending on file permissions. To mitigate this risk, users are advised to upgrade to version 1.26.2, where the vulnerability has been addressed.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

FreshRSS < 1.26.2

References

https://github.com/FreshRSS/FreshRSS/security/advisories/...
x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/pull/7477
x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/commit/dbdadbb410787...
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.