Vulnerability Database

309,364

Total vulnerabilities in the database

CVE-2025-61586

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist. This issue is fixed in version 1.27.0.

Published: Sep 30, 2025
Updated: Nov 16, 2025
CVE: CVE-2025-61586
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
freshrss / freshrss	-	1.27.0

https://github.com/FreshRSS/FreshRSS/commit/6549932d59aef3b72a9da29294af0f30ffb77af5
https://github.com/FreshRSS/FreshRSS/pull/7722
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w35p-p867-qr4f

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo