CVE-2025-32015

Name of the Vulnerable Software and Affected Versions FreshRSS versions prior to 1.26.2

Description The issue is related to improper HTML sanitization inside the <iframe srcdoc> attribute, leading to cross-site scripting (XSS) by loading an attacker's UserJS inside <script src>. To execute the attack, the attacker needs to control one of the victim's feeds and have an account on the FreshRSS instance that the victim is using. This could allow an attacker to gain access to the victim's account. If the victim is an admin, it would be possible to delete all users or execute arbitrary code on the server by modifying the update URL using fetch() via the XSS.

Recommendations For versions prior to 1.26.2, update to version 1.26.2 to resolve the issue. As a temporary workaround, consider restricting access to the <iframe srcdoc> attribute or disabling the use of UserJS inside <script src> until the patch is applied. Restricting feed control and account access can also minimize the risk of exploitation.