We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-32015

FreshRSS vulnerable to Cross-site Scripting by embedding <script> tag inside <iframe srcdoc>



Description

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the `<iframe srcdoc>` attribute, which leads to cross-site scripting (XSS) by loading an attacker's UserJS inside `<script src>`. In order to execute the attack, the attacker needs to control one of the victim's feeds and have an account on the FreshRSS instance that the victim is using. An attacker can gain access to the victim's account by exploiting this vulnerability. If the victim is an admin it would be possible to delete all users (cause damage) or execute arbitrary code on the server by modifying the update URL using fetch() via the XSS. Version 1.26.2 contains a patch for the issue.

Reserved 2025-04-01 | Published 2025-06-04 | Updated 2025-06-04 | Assigner GitHub_M


MEDIUM: 6.7CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 1.26.2
affected

References

github.com/...eshRSS/security/advisories/GHSA-wgrq-mcwc-8f8v

github.com/...ommit/54e2f9107d03c5b3bb260f38fdb2736bce449fd4

cve.org (CVE-2025-32015)

nvd.nist.gov (CVE-2025-32015)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-32015

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.