CVE-2025-54591

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.26.3 and below

Description FreshRSS, a self-hostable RSS aggregator, discloses information about feeds and tags belonging to default admin users. This is due to missing access controls within the FreshRSS Auth::hasAccess() function, which is utilized by certain tag and feed-related endpoints. Specifically, some FreshRSS controllers lack a defined firstAction() method or manual access checks, leading to unauthorized information exposure. The issue is addressed in version 1.27.0.

Recommendations Update to version 1.27.0 or later.