CVE-2025-31483

Name of the Vulnerable Software and Affected Versions Miniflux versions prior to 2.2.7

Description The issue is related to a weak Content Security Policy on the "/proxy/*" route, allowing an attacker to bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab or window.

Recommendations For versions prior to 2.2.7, update to version 2.2.7 to fix the vulnerability. As a temporary workaround, consider changing the Content Security Policy for the media proxy to "default-src 'none'; form-action 'none'; sandbox;" to mitigate the risk of exploitation. Restrict access to the "/proxy/*" route to minimize the risk of cross-site scripting attacks.