Description
FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed `curl_params` inside the `feed` table. Version 1.27.1 fixes the issue.
References (7)
Core 7
Core References
Exploit, Patch, Vendor Advisory x_refsource_confirm
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-6c8h-w3j5-j293
Issue Tracking, Patch x_refsource_misc
https://github.com/FreshRSS/FreshRSS/pull/7878
Issue Tracking, Patch x_refsource_misc
https://github.com/FreshRSS/FreshRSS/pull/7971
Issue Tracking, Patch x_refsource_misc
https://github.com/FreshRSS/FreshRSS/pull/7979
Patch x_refsource_misc
https://github.com/FreshRSS/FreshRSS/commit/79604aa4b3051f083d1734bd9e82c6a89d785c5a#diff-49280171b6e7964e21a0270427e56eacb47b8ac562593a01ad4bc74b49f840c7R135
Scores
CVSS v3
8.8
EPSS
0.0019
EPSS Percentile
40.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
CWE-20
Status
published
Products (1)
freshrss/freshrss
1.23.0 - 1.27.1
Published
Dec 16, 2025
Tracked Since
Feb 18, 2026