7.2

CVE-2025-54593

FreshRSS is vulnerable to RCE attacks by authenticated admin

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerFreshRSS
Produkt FreshRSS
Version < 1.26.2
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.75% 0.5
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57
https://github.com/FreshRSS/FreshRSS/pull/7477
https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101
https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2