Vulnerability Description
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist. This issue is fixed in version 1.27.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Freshrss | Freshrss | < 1.27.0 |
Related Weaknesses (CWE)
References
- https://github.com/FreshRSS/FreshRSS/commit/6549932d59aef3b72a9da29294af0f30ffb7Patch
- https://github.com/FreshRSS/FreshRSS/pull/7722Patch
- https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w35p-p867-qr4fExploitThird Party Advisory
- https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w35p-p867-qr4fExploitThird Party Advisory
FAQ
What is CVE-2025-61586?
CVE-2025-61586 is a vulnerability with a CVSS score of 5.3 (MEDIUM). FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information ab...
How severe is CVE-2025-61586?
CVE-2025-61586 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-61586?
Check the references section above for vendor advisories and patch information. Affected products include: Freshrss Freshrss.