CVE-2025-62166

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions FreshRSS versions prior to 1.28.0

Description FreshRSS, a free, self-hostable RSS aggregator, contains an issue in its authentication logic related to master authentication tokens. This flaw bypasses a restriction intended to limit anonymous viewing to only the default user’s feed, potentially exposing feeds of other users that should be private.

Recommendations Update to version 1.28.0 or later.

Exploit

Fix

Improper Access Control

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-639

Related Identifiers

CVE-2025-62166

GHSA-W743-FG6G-MHWH

Affected Products

Freshrss

CVE-2025-62166

Weakness Enumeration

Related Identifiers

Affected Products

References · 9