Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-57769

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possible, this may lead to privilege escalation via obscuring the promote user button in the admin UI or XSS by tricking the user to drag content into the UserJS text area. This is fixed in version 1.27.0

Published

2025-09-29T22:15:36.463

Last Modified

2025-10-03T15:58:53.477

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79
CWE-1021
Type: Primary
CWE-1021

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	freshrss	freshrss	< 1.27.0	Yes

References

https://github.com/FreshRSS/FreshRSS/pull/7677 Patch ([email protected])
https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0 Release Notes ([email protected])
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wm5p-7pr7-c8rw Exploit, Vendor Advisory ([email protected])
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wm5p-7pr7-c8rw Exploit, Vendor Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)