Draft a new security advisory online, or report security issues to alexandre@alapetite.fr (PGP public key if relevant).
Security: FreshRSS/FreshRSS
Security
SECURITY.md
-
Logout CSRF leads to DoS via <track src>GHSA-w7f5-8vf9-f966 published
Dec 18, 2025 by AlkarexModerate -
Authenticated RCE via path traversal inside include()GHSA-6c8h-w3j5-j293 published
Dec 15, 2025 by AlkarexCritical -
Directory enumeration by setting path in theme fieldGHSA-w35p-p867-qr4f published
Sep 27, 2025 by AlkarexLow -
XSS due to lack of CSP on HTML query pageGHSA-rwhf-vjjx-gmm9 published
Sep 27, 2025 by AlkarexModerate -
Unauthorized creation of admin user when registration is enabledGHSA-h625-ghr3-jppq published
Sep 27, 2025 by AlkarexCritical -
Unauthenticated users are able to read information about feeds/tags of the default userGHSA-jf4v-f8p2-8xvq published
Sep 27, 2025 by AlkarexHigh -
Incomplete Session Termination on Logout in FreshRSSGHSA-42v4-65f8-5wgr published
Sep 27, 2025 by AlkarexModerate -
Double clickjacking leads to privilege escalationGHSA-j66v-hvqx-5vh3 published
Sep 27, 2025 by AlkarexModerate -
Admin authenticated RCE <1.26.2GHSA-jcww-48g9-wf57 published
Jul 31, 2025 by AlkarexHigh -
Clickjacking leads to XSS / privilege escalationGHSA-wm5p-7pr7-c8rw published
Sep 27, 2025 by AlkarexLow
Learn more about advisories related to FreshRSS/FreshRSS in the GitHub Advisory Database