Unrated severityNVD Advisory· Published Mar 9, 2026· Updated Mar 9, 2026

FreshRSS has an IDOR which allows for viewing feeds of any user and leaking tokens

CVE-2025-62166

Description

FreshRSS is a free, self-hostable RSS aggregator. Prior 1.28.0, a bug in the auth logic related to master authentication tokens, this restriction is bypassed. Usually only the default user's feed should be viewable if anonymous viewing is enabled, and feeds of other users should be private. This vulnerability is fixed in 1.28.0.

Affected products

FreshRSS/Freshrssv5
Range: < 1.28.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/FreshRSS/FreshRSS/commit/60cf5ea297a17db861e73cd65d7b7862bd6bcc24mitrex_refsource_MISC
github.com/FreshRSS/FreshRSS/pull/8165mitrex_refsource_MISC
github.com/FreshRSS/FreshRSS/releases/tag/1.28.0mitrex_refsource_MISC
github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w743-fg6g-mhwhmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000