CVE-2025-57769

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.26.3 and below

Description FreshRSS is a free, self-hostable RSS aggregator susceptible to a flaw where a crafted page can mislead a user into executing arbitrary JavaScript code or elevating privileges within FreshRSS. This is achieved by concealing UI elements within iframes. If embedding an authenticated iframe is possible, it could lead to privilege escalation by obscuring the promote user button in the admin UI, or cross-site scripting (XSS) by deceiving the user into dragging content into the UserJS text area.

Recommendations Update to version 1.27.0 or later.