Skip to main content

Freshrss CVE-2025-46339

| EUVDEUVD-2025-16931 MEDIUM
Acceptance of Extraneous Untrusted Data With Trusted Data (CWE-349)
2025-06-04 security-advisories@github.com
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
EUVD ID Assigned
Mar 14, 2026 - 17:29 euvd
EUVD-2025-16931
Analysis Generated
Mar 14, 2026 - 17:29 vuln.today
Patch released
Mar 14, 2026 - 17:29 nvd
Patch available
PoC Detected
Aug 12, 2025 - 15:33 vuln.today
Public exploit code
CVE Published
Jun 04, 2025 - 20:15 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not including the following variables: proxy address, proxy protocol, and whether SSL should be verified. Therefore it's possible to poison a favicon of a given feed by simply intercepting the response of the feed, and changing the website URL to one where a threat actor controls the feed favicon. Feed favicons can be replaced for all users by anyone. Version 1.26.2 fixes the issue.

AnalysisAI

A security vulnerability in FreshRSS (CVSS 4.3). Risk factors: public PoC available. Vendor patch is available.

Technical ContextAI

Vulnerability type: remote code execution. Affects FreshRSS.

RemediationAI

Apply the vendor-supplied patch immediately.

CVE-2025-31134 HIGH POC
7.5 Jun 04

FreshRSS versions prior to 1.26.2 suffer from an information disclosure vulnerability that allows unauthenticated remote

CVE-2025-46341 HIGH POC
7.1 Jun 04

Critical authentication bypass vulnerability in FreshRSS versions prior to 1.26.2 that allows authenticated attackers to

CVE-2025-32015 MEDIUM POC
6.7 Jun 04

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the `<iframe

CVE-2025-31136 MEDIUM POC
6.7 Jun 04

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to run arbitrary JavaScript on the

CVE-2023-22481 MEDIUM POC
5.5 Mar 06

FreshRSS is a self-hosted RSS feed aggregator. Rated medium severity (CVSS 5.5), this vulnerability is low attack comple

CVE-2025-31482 MEDIUM POC
4.3 Jun 04

FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedl

CVE-2025-62166 HIGH
7.5 Mar 09

self-hostable RSS aggregator. versions up to 1.28.0 is affected by improper access control (CVSS 7.5).

CVE-2022-23497 HIGH
7.5 Dec 09

FreshRSS is a free, self-hostable RSS aggregator. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit

CVE-2025-61586 MEDIUM POC
6.9 Sep 30

FreshRSS is a free, self-hostable RSS aggregator. Rated medium severity (CVSS 6.9), this vulnerability is remotely explo

CVE-2025-59950 MEDIUM POC
6.7 Sep 30

FreshRSS is a free, self-hostable RSS aggregator. Rated medium severity (CVSS 6.7), this vulnerability is remotely explo

CVE-2025-59948 MEDIUM POC
6.7 Sep 29

FreshRSS is a free, self-hostable RSS aggregator. Rated medium severity (CVSS 6.7), this vulnerability is remotely explo

CVE-2025-57769 MEDIUM POC
5.3 Sep 29

FreshRSS is a free, self-hostable RSS aggregator. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo

Vendor StatusVendor

Debian

Bug #1032767
freshrss
Release Status Fixed Version Urgency
open - -

Share

CVE-2025-46339 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy