CVE-2025-31134

MEDIUM EPSS 31.4%
Published Jun 4, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 4.0
Medium
Find Similar
Published Jun 4, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server and potentially use that information to further attack the server. Version 1.26.2 contains a patch for the issue.

CVSS Details

Base Score
5.5
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
31.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-201

Affected Products 1

VendorProductVersionRange
freshrssfreshrss* <1.26.2

References 2

  • github.com https://github.com/FreshRSS/FreshRSS/commit/4568111c00813756a3a34a381d684b8354fc4438
    Patch
  • github.com https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-jjm2-4hf7-9x65
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/FreshRSS/FreshRSS/commit/4568111c00813756a3a34a381d684b8354fc4438
    Patch