CVE-2025-31134
MEDIUM EPSS 31.4%
Published Jun 4, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 4.0
Published Jun 4, 2025 1y ago
Last Modified Jun 17, 2026 2w ago
Description
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server and potentially use that information to further attack the server. Version 1.26.2 contains a patch for the issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
31.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-201
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| freshrss | freshrss | * | <1.26.2 |
References 2
- github.com https://github.com/FreshRSS/FreshRSS/commit/4568111c00813756a3a34a381d684b8354fc4438
- github.com https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jjm2-4hf7-9x65
Remediation
- github.com https://github.com/FreshRSS/FreshRSS/commit/4568111c00813756a3a34a381d684b8354fc4438