Double Clickjacking Vulnerability in FreshRSS by FreshRSS
CVE-2025-59950

6.7MEDIUM

Key Information:

Vendor

Freshrss

Status
Freshrss
Vendor
CVE Published:
29 September 2025

What is CVE-2025-59950?

In FreshRSS versions 1.26.3 and earlier, a vulnerability allows for double clickjacking attacks. Attackers can exploit this security flaw to lure an administrator into clicking a deceptive Promote button on other users' management pages. This is achieved by embedding a malicious link within an attacker-controlled webpage. Once the admin is tricked into performing the double-click action, the attacker can elevate their own permissions to admin and gain unauthorized access to other users' accounts. The vulnerability has been addressed in FreshRSS version 1.27.0.

Affected Version(s)

FreshRSS < 1.27.0

References

https://github.com/FreshRSS/FreshRSS/security/advisories/...
x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/pull/7771
x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0
x_refsource_MISC

CVSS V3.1

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.