CVE-2025-57769

MEDIUM

Freshrss < 1.27.0 - XSS

Title source: rule

Description

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possible, this may lead to privilege escalation via obscuring the promote user button in the admin UI or XSS by tricking the user to drag content into the UserJS text area. This is fixed in version 1.27.0

References (3)

[Exploit, Vendor Advisory] https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wm5p-7pr7-c8rw

[Release Notes] https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0

[Patch] https://github.com/FreshRSS/FreshRSS/pull/7677

Scores

CVSS v3 6.1

EPSS 0.0004

EPSS Percentile 10.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-1021

Status published

Products (1)

freshrss/freshrss < 1.27.0

Published Sep 29, 2025

Tracked Since Feb 18, 2026