Directory Enumeration Vulnerability in FreshRSS by FreshRSS
CVE-2025-61586

6.9MEDIUM

Key Information:

Vendor

Freshrss

Status
Freshrss
Vendor
CVE Published:
29 September 2025

What is CVE-2025-61586?

FreshRSS, a popular self-hostable RSS aggregator, contains a vulnerability in versions 1.26.3 and earlier that enables directory enumeration through a manipulated theme field path. This flaw permits attackers to ascertain the existence of specific directories on the server, potentially exposing sensitive information. Users are advised to upgrade to version 1.27.0 to remediate this issue and enhance their security posture.

Affected Version(s)

FreshRSS < 1.27.0

References

https://github.com/FreshRSS/FreshRSS/security/advisories/...
x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/pull/7722
x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/commit/6549932d59aef...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.