CVE-2025-54875
CRITICALFreshRSS 1.16.0-1.26.3 - Unauthenticated Privilege Escalation via Hidden Admin Field
Title source: llmDescription
FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hidden field used only in the user management admin page, new_user_is_admin. This is fixed in version 1.27.0.
References (3)
Core 3
Core References
Exploit, Third Party Advisory, Vendor Advisory x_refsource_confirm
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-h625-ghr3-jppq
Patch x_refsource_misc
https://github.com/FreshRSS/FreshRSS/pull/7783
Release Notes x_refsource_misc
https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0
Scores
CVSS v3
9.8
EPSS
0.0048
EPSS Percentile
37.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-284
Status
published
Products (1)
freshrss/freshrss
1.16.0 - 1.27.0
Published
Sep 29, 2025
Tracked Since
Feb 18, 2026