CVE-2025-62166

7.5 HIGH
Published: March 09, 2026 Modified: March 13, 2026
View on NVD

Description

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/FreshRSS/FreshRSS/commit/60cf5ea297a17db861e73cd65d7b7862bd6bcc24
Source: security-advisories@github.com
Patch
https://github.com/FreshRSS/FreshRSS/pull/8165
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/FreshRSS/FreshRSS/releases/tag/1.28.0
Source: security-advisories@github.com
Product Release Notes
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w743-fg6g-mhwh
Source: security-advisories@github.com
Exploit Patch Vendor Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
0.2%
36th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-284 CWE-639

Affected Vendors

freshrss

Related CVEs

CVE-2026-4508 7.3
CVE-2026-3864 6.5
CVE-2026-33476 7.5
CVE-2026-33423 N/A
CVE-2026-33422 3.5