Description

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

INFO

Published Date :

2026-03-09T19:35:37.043Z

Last Modified :

2026-03-09T20:44:25.312Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-62166 vulnerability.

Vendors Products
Freshrss
  • Freshrss
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62166.

URL Resource
https://github.com/FreshRSS/FreshRSS/commit/60cf5ea297a17db861e73cd65d7b7862bd6bcc24 cve-icon cve-icon
https://github.com/FreshRSS/FreshRSS/pull/8165 cve-icon cve-icon
https://github.com/FreshRSS/FreshRSS/releases/tag/1.28.0 cve-icon cve-icon
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w743-fg6g-mhwh cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact