CVE-2025-59950

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.26.3 and below

Description FreshRSS is susceptible to a double clickjacking protection bypass. An attacker can trick an administrator into promoting themselves to "admin" and logging into other users' accounts. This is achieved by exploiting a flaw in the confirmation dialog, requiring knowledge of the specific instance URL. A successful attack requires the administrator to double-click on a button within an attacker-controlled website.

Recommendations Update to version 1.27.0 or later.