What is the CVSS score of EUVD-2025-16931?

EUVD-2025-16931 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Freshrss are affected by EUVD-2025-16931?

Organizations using FreshRSS should be aware of moderate risk from CVE-2025-46339 rated CVSS 4.3. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for EUVD-2025-16931?

Yes, a public proof-of-concept exploit is available for EUVD-2025-16931. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2025-16931?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Freshrss EUVD-2025-16931

| CVE-2025-46339 MEDIUM

Acceptance of Extraneous Untrusted Data With Trusted Data (CWE-349)

2025-06-04 security-advisories@github.com

Information Disclosure Debian Freshrss

4.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 17:29 euvd

EUVD-2025-16931

Analysis Generated

Mar 14, 2026 - 17:29 vuln.today

Patch released

Mar 14, 2026 - 17:29 nvd

Patch available

PoC Detected

Aug 12, 2025 - 15:33 vuln.today

Public exploit code

CVE Published

Jun 04, 2025 - 20:15 nvd

MEDIUM 4.3

DescriptionNVD

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not including the following variables: proxy address, proxy protocol, and whether SSL should be verified. Therefore it's possible to poison a favicon of a given feed by simply intercepting the response of the feed, and changing the website URL to one where a threat actor controls the feed favicon. Feed favicons can be replaced for all users by anyone. Version 1.26.2 fixes the issue.

AnalysisAI

A security vulnerability in FreshRSS (CVSS 4.3). Risk factors: public PoC available. Vendor patch is available.

Technical ContextAI

Vulnerability type: remote code execution. Affects FreshRSS.

RemediationAI

Apply the vendor-supplied patch immediately.

More from same product – last 7 days

CVE-2026-47269 HIGH This Week

7.4 May 27

Authentication-context bypass in pam_usb before 0.9.0 lets a person holding an enrolled USB device authenticate over SSH

CVE-2026-47271 MEDIUM This Month

5.1 May 27

pam_usb prior to 0.9.0 crashes under memory pressure due to assert()-based OOM guards in src/mem.c that are silently str

CVE-2026-45898 Awaiting Data

May 27

In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removin

CVE-2026-45924 Awaiting Data

May 27

In the Linux kernel, the following vulnerability has been resolved: ksmbd: call ksmbd_vfs_kern_path_end_removing() on s

CVE-2026-45965 Awaiting Data

May 27

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix invalid deref of rawdata when export_

Vendor StatusVendor

Debian

Bug #1032767

freshrss

Release	Status	Fixed Version	Urgency
	open	-	-

EUVD-2025-16931 vulnerability details – vuln.today

Back

Freshrss EUVD-2025-16931

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Debian

Share

External POC / Exploit Code