CVE-2025-54593 HIGH

CVE-2025-54593: FreshRSS is vulnerable to RCE attacks by authenticated admin

Vendor Freshrss
Product FreshRSS
Weakness CWE-94 · Code injection
Published August 1, 2025
Last update August 1, 2025

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2.

Key dates

02Disclosure timeline

August 1, 2025 CVE published
August 1, 2025 Record updated

Related vulnerabilities

04Related CVE