What is the CVSS score of CVE-2025-62166?

CVE-2025-62166 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Freshrss are affected by CVE-2025-62166?

An improper access control vulnerability in self-hosted RSS aggregator versions up to 1.28.0 allows unauthorized users to access restricted functionality, potentially exposing sensitive feed data and…

How to fix or mitigate CVE-2025-62166?

Within 24 hours: Audit current RSS aggregator deployment version and document all instances running version 1.28.0 or earlier. Within 7 days: Implement network segmentation to restrict RSS aggregator access to authorized personnel only and enable detailed access logging. Within 30 days: Develop an upgrade plan for when patches become available and establish a vendor communication schedule for security updates.

Freshrss CVE-2025-62166

HIGH

Improper Access Control (CWE-284)

2026-03-09 security-advisories@github.com

Authentication Bypass Freshrss

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

CVE Published

Mar 09, 2026 - 20:16 nvd

HIGH 7.5

DescriptionNVD

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

AnalysisAI

self-hostable RSS aggregator. versions up to 1.28.0 is affected by improper access control (CVSS 7.5).

Technical ContextAI

This vulnerability (CWE-284: Improper Access Control) affects self-hostable RSS aggregator.. FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

RemediationAI

Fixed in version 1.28.0.. Restrict network access to the affected service where possible.

CVE-2025-62166 vulnerability details – vuln.today

Back

Freshrss CVE-2025-62166

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code