📦 Freshrss

This vulnerability in FreshRSS allows attackers to predict authentication tokens due to weak random number generation, enabling account takeover through session hijacking. All FreshRSS instances prior...

FreshRSS versions 1.26.3 and below have a session management vulnerability where logout doesn't properly invalidate session cookies. This allows attackers to hijack user sessions by reusing old cookie...

This vulnerability in FreshRSS allows unprivileged users to perform path traversal via the language configuration parameter, enabling them to access install.php and execute administrative actions. Att...

This vulnerability allows authenticated administrator users in FreshRSS versions 1.26.1 and below to execute arbitrary code on the server by modifying the update URL to a malicious source. Successful ...

FreshRSS versions before 1.26.2 contain an authentication bypass vulnerability when using HTTP auth via reverse proxy. Attackers with an account on the instance can impersonate any user by manipulatin...

FreshRSS versions before 1.26.2 contain an information disclosure vulnerability that allows attackers to check for the existence of specific directories on the server. This can reveal details about in...

This vulnerability in FreshRSS allows attackers to globally deny access to RSS feeds by manipulating proxy responses to return HTTP 429 Retry-After headers for multiple feeds. This makes the instance ...

FreshRSS versions before 1.27.1 have a cross-site request forgery (CSRF) vulnerability in the logout functionality that can be exploited via <track src> elements. This allows attackers to force logged...

FreshRSS versions 1.26.3 and below contain a path traversal vulnerability in the theme field that allows attackers to enumerate server directories. This can reveal sensitive information about the serv...

This vulnerability in FreshRSS allows attackers to trick administrators into promoting unauthorized users to admin privileges through a double clickjacking bypass. Attackers need to know the target in...

FreshRSS versions 1.26.3 and below contain a UI redressing vulnerability where attackers can trick authenticated users into performing unintended actions via iframe manipulation. This can lead to priv...

FreshRSS versions before 1.26.2 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious RSS feed entry to repeatedly log out a user. This causes denial of service for affecte...