VYPR
Unrated severityNVD Advisory· Published Sep 29, 2025· Updated Sep 30, 2025

FreshRSS has Incomplete Session Termination on Logout

CVE-2025-54592

Description

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This failure to invalidate the session can lead to session hijacking and fixation vulnerabilities. This issue is fixed in version 1.27.0

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • FreshRSS/Freshrssllm-fuzzy2 versions
    <=1.26.3+ 1 more
    • (no CPE)range: <=1.26.3
    • (no CPE)range: < 1.27.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.