CVE-2025-62166

< 1.28.0

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, t

7.5HIGH

CVE-2025-68932

< 1.28.0

FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number gene

9.8CRITICAL

CVE-2025-68148

>= 1.27.0 and < 1.28.0

FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to

4.3MEDIUM

CVE-2025-59949

< 1.27.1

FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability

5.3MEDIUM

CVE-2025-58173

>= 1.23.0 and < 1.27.1

FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the language use

8.8HIGH

CVE-2025-61586

< 1.27.0

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting pat

5.3MEDIUM

CVE-2025-59950

< 1.27.0

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection

6.7MEDIUM

CVE-2025-59948

< 1.27.0

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not sanitize certain event handler attributes in fe

6.7MEDIUM

CVE-2025-57769

< 1.27.0

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page

6.1MEDIUM

CVE-2025-54875

>= 1.16.0 and < 1.27.0

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create

9.8CRITICAL

CVE-2025-54592

< 1.27.0

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. A

9.8CRITICAL

CVE-2025-54591

< 1.27.0

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below expose information about feeds and tags of default adm

7.5HIGH

CVE-2025-54593

< 1.26.2

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute ar

7.2HIGH

CVE-2025-46341

< 1.26.2

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's

7.1HIGH

CVE-2025-46339

< 1.26.2

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given UR

4.3MEDIUM

CVE-2025-32015

< 1.26.2

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the <iframe srcdoc>

6.7MEDIUM

CVE-2025-31482

< 1.26.2

FreshRSS is a self-hosted RSS feed aggregator. A vulnerability in versions prior to 1.26.2 causes a user to be repeatedly logged o

4.3MEDIUM

CVE-2025-31136

< 1.26.2

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to run arbitrary JavaScript on the feeds pag

6.7MEDIUM

CVE-2025-31134

< 1.26.2

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the serv

7.5HIGH

CVE-2023-22481

>= 1.9.0 and < 1.21.0

FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is logged in clear in `users/_/lo

4.0MEDIUM

CVE-2022-23497

>= 1.18.0 and < 1.20.2

FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user p

6.5MEDIUM

CVE-2018-19782

all versions

Multiple cross-site scripting (XSS) vulnerabilities in GET requests in FreshRSS 1.11.1 allow remote attackers to inject arbitrary

6.1MEDIUM