CVE-2025-59948 MEDIUM

CVE-2025-59948: FreshRSS is vulnerable to XSS due to lack of CSP on HTML query page

Vendor Freshrss

Product FreshRSS

Weakness CWE-79 · XSS

Published September 29, 2025

Last update September 30, 2025

View on NVD All CVEs

CVSS base score

6.7/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not sanitize certain event handler attributes in feed content, so by finding a page that renders feed entries without CSP, it is possible to execute an XSS payload. The Allow API access authentication setting needs to be enabled by the instance administrator beforehand for the attack to work as it relies on api/query.php. An account takeover is possible by sending a change password request via the XSS payload / setting UserJS for persistence / stealing the autofill password / displaying a phishing page with a spoofed URL using history.replaceState() If the victim is an administrator, the attacker can also perform administrative actions. This issue is fixed in version 1.27.0.

Key dates

02Disclosure timeline

September 29, 2025 CVE published

September 30, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-59948 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2025-59948: FreshRSS is vulnerable to XSS due to lack of CSP on HTML query page

01Description

02Disclosure timeline

03References

04Related CVE