CVE-2025-46339

Name of the Vulnerable Software and Affected Versions FreshRSS versions prior to 1.26.2

Description The issue allows an attacker to poison feed favicons by manipulating the feed URL and proxy settings, potentially replacing favicons for all users. This is possible because the favicon hash computation does not include the proxy address, proxy protocol, and SSL verification settings. An attacker can intercept the feed response and change the website URL to a controlled feed favicon.

Recommendations For versions prior to 1.26.2, update to version 1.26.2 to resolve the issue. As a temporary workaround, consider restricting access to the proxy settings and ensuring SSL verification is enabled for all feeds. Avoid using the proxy feature with untrusted feeds until the issue is resolved.