CVE-2025-58173

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.23.0 through 1.27.0

Description FreshRSS is a self-hosted RSS feed aggregator. Versions 1.23.0 through 1.27.0 contain a path traversal issue within the language user configuration parameter. This allows an unprivileged user to invoke install.php and perform administrative actions. These actions include logging in as the administrator, creating a new administrator user, or configuring the database to connect to an attacker-controlled MySQL server. An attacker could then execute code within FreshRSS by setting malicious feed curl params inside the feed table. The install.php file is used for administrative tasks.

Recommendations Update to version 1.27.1 or later.