CVE-2025-32015 — MEDIUM (6.7)

Vulnerability Description

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the `<iframe srcdoc>` attribute, which leads to cross-site scripting (XSS) by loading an attacker's UserJS inside `<script src>`. In order to execute the attack, the attacker needs to control one of the victim's feeds and have an account on the FreshRSS instance that the victim is using. An attacker can gain access to the victim's account by exploiting this vulnerability. If the victim is an admin it would be possible to delete all users (cause damage) or execute arbitrary code on the server by modifying the update URL using fetch() via the XSS. Version 1.26.2 contains a patch for the issue.

CVSS Score

6.7

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Freshrss	Freshrss	< 1.26.2

Related Weaknesses (CWE)

CWE-79

References

https://github.com/FreshRSS/FreshRSS/commit/54e2f9107d03c5b3bb260f38fdb2736bce44Patch
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wgrq-mcwc-8f8vExploitVendor Advisory

FAQ

What is CVE-2025-32015?

CVE-2025-32015 is a vulnerability with a CVSS score of 6.7 (MEDIUM). FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the `<iframe srcdoc>` attribute, which leads to cross-site scripting (XSS) by loading an att...

How severe is CVE-2025-32015?

CVE-2025-32015 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-32015?

Check the references section above for vendor advisories and patch information. Affected products include: Freshrss Freshrss.