VYPR
Unrated severityNVD Advisory· Published Sep 29, 2025· Updated Sep 30, 2025

FreshRSS: Unauthorized creation of admin user when registration is enabled

CVE-2025-54875

Description

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hidden field used only in the user management admin page, new_user_is_admin. This is fixed in version 1.27.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • FreshRSS/Freshrssllm-fuzzy2 versions
    >=1.16.0, <=1.26.3+ 1 more
    • (no CPE)range: >=1.16.0, <=1.26.3
    • (no CPE)range: >= 1.16.0, < 1.27.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.