Cross-Site Scripting Vulnerability in FreshRSS by FreshRSS
CVE-2025-59948

6.7MEDIUM

Key Information:

Vendor

Freshrss

Status
Freshrss
Vendor
CVE Published:
29 September 2025

What is CVE-2025-59948?

FreshRSS is a self-hostable RSS aggregator that has revealed a vulnerability allowing for Cross-Site Scripting (XSS) in versions 1.26.3 and earlier. The issue arises due to the failure to sanitize event handler attributes within feed content. Attackers can exploit this vulnerability particularly when the instance administrator has enabled the Allow API access authentication setting. This can allow for account takeover through various methods, such as submitting a password change request via an XSS payload or manipulating browser history to display a phishing page. If the targeted account belongs to an administrator, the attacker can potentially execute administrative commands. This vulnerability is addressed in FreshRSS version 1.27.0.

Affected Version(s)

FreshRSS < 1.27.0

References

https://github.com/FreshRSS/FreshRSS/security/advisories/...
x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/commit/7df6c201f2e6a...
x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0
x_refsource_MISC

CVSS V3.1

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59948 : Cross-Site Scripting Vulnerability in FreshRSS by FreshRSS