CVE-2025-68932

CRITICAL

FreshRSS <1.28.0 - Info Disclosure

Title source: llm

Description

FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to account takeover through persistent session hijacking. The remember-me tokens provide permanent authentication and are the sole credential for "keep me logged in" functionality. This issue has been patched in version 1.28.0.

References (3)

Scores

CVSS v3 9.8
EPSS 0.0004
EPSS Percentile 12.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-338
Status published

Affected Products (1)

freshrss/freshrss < 1.28.0

Timeline

Published Dec 27, 2025
Tracked Since Feb 18, 2026