CVE-2025-59948

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.26.3 and below

Description FreshRSS does not properly sanitize event handler attributes within feed content. This can lead to cross-site scripting (XSS) if a page renders feed entries without a Content Security Policy (CSP). The Allow API access authentication setting must be enabled for exploitation. An attacker can potentially take over an account by sending a change password request, setting UserJS for persistence, stealing autofill passwords, or displaying a phishing page. If the victim is an administrator, administrative actions are also possible. The attack utilizes the /api/query.php endpoint.

Recommendations Update to version 1.27.0 or later.