Description

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2.

INFO

Published Date :

2025-08-01T18:04:40.265Z

Last Modified :

2025-08-01T18:32:59.897Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-54593 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54593.

URL Resource
https://github.com/FreshRSS/FreshRSS/commit/dbdadbb4107878d9233f635c31a88afe45957101 cve-icon cve-icon
https://github.com/FreshRSS/FreshRSS/pull/7477 cve-icon cve-icon
https://github.com/FreshRSS/FreshRSS/releases/tag/1.26.2 cve-icon cve-icon
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jcww-48g9-wf57 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact