VYPR
Unrated severityNVD Advisory· Published Sep 29, 2025· Updated Sep 30, 2025

FressRSS: Clickjacking can lead to XSS and/or privilege escalation

CVE-2025-57769

Description

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possible, this may lead to privilege escalation via obscuring the promote user button in the admin UI or XSS by tricking the user to drag content into the UserJS text area. This is fixed in version 1.27.0

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • FreshRSS/Freshrssllm-fuzzy2 versions
    <=1.26.3+ 1 more
    • (no CPE)range: <=1.26.3
    • (no CPE)range: < 1.27.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.