Arbitrary Code Execution Vulnerability in FreshRSS by FreshRSS
CVE-2025-54593

7.2HIGH

Key Information:

Vendor: Freshrss
Status: Freshrss
Vendor: CVE Published:; 1 August 2025

What is CVE-2025-54593?

FreshRSS, a self-hosted RSS aggregator, is vulnerable to an arbitrary code execution issue, specifically in versions up to 1.26.1. An attacker with administrator access can exploit this vulnerability by altering the update URL to direct it towards a malicious server. Once the update is executed, the attacker can run arbitrary code on the server, potentially leading to unauthorized access and manipulation of user data. This includes the exfiltration of sensitive information such as hashed passwords and the possibility of defacing the instance, depending on file permissions. To mitigate this risk, users are advised to upgrade to version 1.26.2, where the vulnerability has been addressed.

Affected Version(s)

FreshRSS < 1.26.2

References

https://github.com/FreshRSS/FreshRSS/security/advisories/...

x_refsource_CONFIRM

https://github.com/FreshRSS/FreshRSS/pull/7477

x_refsource_MISC

https://github.com/FreshRSS/FreshRSS/commit/dbdadbb410787...

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 1, 2025
Vulnerability Reserved
Jul 25, 2025

Freshrss

What is CVE-2025-54593?

Affected Version(s)

References

CVSS V3.1

Timeline