What is the CVSS score of EUVD-2025-16933?

EUVD-2025-16933 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L. EPSS exploitation probability: 0.0%.

Which versions of Freshrss are affected by EUVD-2025-16933?

Organizations using versions should be aware of moderate risk from CVE-2025-31482, a cross-site request forgery vulnerability rated CVSS 4.3.. A patch is available.

Is there a public PoC exploit available for EUVD-2025-16933?

Yes, a public proof-of-concept exploit is available for EUVD-2025-16933. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2025-16933?

Within 30 days: Identify affected systems running versions and apply vendor patches as part of regular patch cycle. Verify anti-CSRF tokens are enforced.

Freshrss EUVD-2025-16933

| CVE-2025-31482 MEDIUM

Cross-Site Request Forgery (CSRF) (CWE-352)

2025-06-04 security-advisories@github.com

CSRF Denial Of Service Debian Freshrss

4.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

4.3 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

1.26.2

EUVD ID Assigned

Mar 14, 2026 - 17:29 euvd

EUVD-2025-16933

Analysis Generated

Mar 14, 2026 - 17:29 vuln.today

PoC Detected

Aug 12, 2025 - 15:21 vuln.today

Public exploit code

CVE Published

Jun 04, 2025 - 20:15 nvd

MEDIUM 4.3

DescriptionGitHub Advisory

FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged out after fetching a malicious feed entry, effectively causing that user to suffer denial of service. Version 1.26.2 contains a patch for the issue.

Analysis

Technical ContextAI

Cross-Site Request Forgery forces authenticated users to perform unintended actions by tricking their browser into sending forged requests. This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352).

RemediationAI

Implement anti-CSRF tokens for all state-changing operations. Use SameSite cookie attribute. Verify the Origin/Referer header on the server side.

Vendor StatusVendor

Debian

Bug #1032767

freshrss

Release	Status	Fixed Version	Urgency
	open	-	-

EUVD-2025-16933 vulnerability details – vuln.today

Back

Freshrss EUVD-2025-16933

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

Vendor StatusVendor

Debian

Share

External POC / Exploit Code