CVE-2025-57769
MEDIUMFreshRSS < 1.27.0 - Cross-Site Scripting and Privilege Escalation via Iframe UI Obscuring
Title source: llmDescription
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possible, this may lead to privilege escalation via obscuring the promote user button in the admin UI or XSS by tricking the user to drag content into the UserJS text area. This is fixed in version 1.27.0
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wm5p-7pr7-c8rw
Release Notes x_refsource_misc
https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0
Patch x_refsource_misc
https://github.com/FreshRSS/FreshRSS/pull/7677
Scores
CVSS v3
6.1
EPSS
0.0025
EPSS Percentile
16.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-1021
Status
published
Products (1)
freshrss/freshrss
< 1.27.0
Published
Sep 29, 2025
Tracked Since
Feb 18, 2026